Win32/Agent.PTA [Threat Name] go to Threat

Win32/Agent.PTA [Threat Variant Name]

Category trojan
Size 129024 B
Detection created Jul 03, 2009
Signature database version 4213
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %localappdata%\­%variable%\­juschedg.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "5HB8CEF8-849D-4D51-9B62-AD6468477BB--%variable%" = %localappdata%\­%variable%\­juschedg.exe"

The trojan may create the following files:

  • %localappdata%\­%variable%\­cf_.bin
  • %localappdata%\­Apps\­conhostd.exe
  • %localappdata%\­%variable%\­tservice.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­TightVNC\­Server]
    • "AcceptHttpConnections" = 0
    • "AcceptRfbConnections" = 1
    • "AllowLoopback" = 1
    • "LoopbackOnly" = 1
    • "RemoveWallpaper" = 0
    • "RfbPort" = 37390
    • "AlwaysShared" = 1
    • "NeverShared" = 0
    • "UseVncAuthentication" = 0
    • "RunControlInterface" = 0

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

Win32/Agent.PTA is a trojan that steals sensitive information.


The trojan collects the following information:

  • hardware information
  • MAC address
  • CPU information
  • user name
  • list of running processes

The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP (TOR Hidden Services) protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • monitor network traffic
  • block access to specific websites
  • set up a proxy server

The trojan hooks the following Windows APIs:

  • HttpOpenRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.