MSIL/Agent.ARP [Threat Name] go to Threat

MSIL/Agent.ARP [Threat Variant Name]

Category trojan
Size 328704 B
Detection created Feb 02, 2017
Signature database version 14872
Aliases MSIL:GenMalicious-IW.[Trj] (Avast)
  HEUR:Trojan.Win32.Generic (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %variable1%\­%variable2%.exe

%variable1%, %variable2% represents information sent by remote machine (on request).


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%variable1%\­%variable2%.exe"

The trojan may create the following files:

  • %startup%\­%variable2%.lnk

The file is a shortcut to a malicious file.


This way the trojan ensures that the file is executed on every system start.

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • external IP address of the network device
  • list of files/folders on a specific drive
  • installed antivirus software
  • information about the operating system and system settings
  • hardware information

The trojan attempts to send gathered information to a remote machine.

Payload information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • upload files to a remote computer
  • various file system operations
  • run executable files
  • execute shell commands
  • capture screenshots
  • terminate running processes
  • send gathered information

Trojan may remove itself from the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.