Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.RKS

Aliases:Trojan.Win32.Inject.asfy (Kaspersky), Trojan:Win32/Lodap!rts (Microsoft), TROJ_INJECT.VTG (TrendMicro) 
Type of infiltration:Trojan  
Size:18432 B 
Affected platforms:Microsoft Windows 
Signature database version:5295 (20100720) 

Short description

Win32/Agent.RKS is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:
  • %appdata%{%variable%}ntuser.cpl (12032 B)
  • %appdata%{%variable%}desktop.ini
A string with variable content is used instead of %variable%.

The trojan executes the following command:
  • rundll32.exe "%appdata%{%variable%}ntuser.cpl",_4CDFA75B
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    RunOnce]
    "{%variable%}" = "rundll32
    "%APPDATA%{%variable%}ntuser.cpl",_4CDFA75B"

Other information

The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftInternet Explorer
    LowRegistry]
    "ms-ldr" = "%malwarepath%"
The trojan creates and runs a new thread with its own program code in all running processes.

The trojan checks for Internet connectivity by trying to connect to the following addresses:
  • www.microsoft.com
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The trojan can download and execute a file from the Internet. The HTTP protocol is used.