MSIL/Agent.ARP [Threat Name] go to Threat
MSIL/Agent.ARP [Threat Variant Name]
| Category | trojan |
| Size | 328704 B |
| Detection created | Feb 02, 2017 |
| Detection database version | 14872 |
| Aliases | MSIL:GenMalicious-IW.[Trj] (Avast) |
| HEUR:Trojan.Win32.Generic (Kaspersky) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %variable1%\%variable2%.exe
%variable1%, %variable2% represents information sent by remote machine (on request).
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%" = "%variable1%\%variable2%.exe"
The trojan may create the following files:
- %startup%\%variable2%.lnk
The file is a shortcut to a malicious file.
This way the trojan ensures that the file is executed on every system start.
Information stealing
The trojan collects the following information:
- user name
- computer name
- external IP address of the network device
- list of files/folders on a specific drive
- installed antivirus software
- information about the operating system and system settings
- hardware information
The trojan attempts to send gathered information to a remote machine.
Payload information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- upload files to a remote computer
- various file system operations
- run executable files
- execute shell commands
- capture screenshots
- terminate running processes
- send gathered information
Trojan may remove itself from the infected computer.