Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.RIZ

Aliases:Trojan.ADH (Symantec), Trojan.Inject.8954 (Dr. Web), Troj/Bdoor-AZG (Sophos) 
Type of infiltration:Trojan  
Size:18752 B 
Affected platforms:Microsoft Windows 
Signature database version:5240 (20100630) 

Short description

Win32/Agent.RIZ is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.

Other information

The trojan contains an URL address. It tries to download the other part of the infiltration from the address. The HTTP protocol is used.

The file is stored in the following location:
  • %windir%system32driversviddev.inf
Installs the following system drivers:
  • %windir%system32driversviddev.inf
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESystemCurrentControlSetServices
    viddev]
    "Type" = 1
    "ErrorControl" = 0
    "Start" = 1
    "Data" = %random%
    "ImagePath" = "%windir%system32driversviddev.inf"
A string with variable content is used instead of %random%.

This causes the trojan to be executed on every system start.

The trojan creates and runs a new thread with its own program code within the following processes:
  • chrome.exe
  • csrsss.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • lsass.exe
  • chrome.exe
  • csrsss.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • lsass.exe
  • lsm.exe
  • opera.exe
  • outlook.exe
  • safari.exe
  • svchost.exe
  • thunderbird.exe
The trojan will attempt to download several files from the Internet.

The trojan contains a list of (4) URLs.

The downloaded files contain encrypted executables.

After decryption, the trojan runs these files.