MSIL/Agent.ARP [Threat Name] go to Threat
MSIL/Agent.ARP [Threat Variant Name]
|Detection created||Feb 02, 2017|
|Signature database version||14872|
The trojan serves as a backdoor. It can be controlled remotely.
When executed, the trojan copies itself into the following location:
%variable1%, %variable2% represents information sent by remote machine (on request).
In order to be executed on every system start, the trojan sets the following Registry entry:
- "%variable2%" = "%variable1%\%variable2%.exe"
The trojan may create the following files:
The file is a shortcut to a malicious file.
This way the trojan ensures that the file is executed on every system start.
The trojan collects the following information:
- user name
- computer name
- external IP address of the network device
- list of files/folders on a specific drive
- installed antivirus software
- information about the operating system and system settings
- hardware information
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- upload files to a remote computer
- various file system operations
- run executable files
- execute shell commands
- capture screenshots
- terminate running processes
- send gathered information
Trojan may remove itself from the infected computer.