Win32/Agent.TUM [Threat Name] go to Threat

Win32/Agent.TUM [Threat Variant Name]

Category trojan
Size 69700 B
Detection created Jun 27, 2012
Detection database version 10047
Aliases Trojan-Dropper.Win32.Dapato.ccta (Kaspersky)
  TrojanDownloader:Win32/Recslurp.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­csrss.exe
  • %appdata%\­rundll32.exe
  • %appdata%\­svchost.exe
  • %appdata%\­System32\­csrss.exe
  • %appdata%\­System32\­rundll32.exe
  • %appdata%\­System32\­svchost.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Client Server Runtime Process" = "%malwarefilefolder%\­csrss.exe"
    • "Host-process Windows (Rundll32.exe)" = "%malwarefilefolder%\­rundll32.exe"
    • "Service Host Process for Windows" = "%malwarefilefolder%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Client Server Runtime Process" = "%malwarefilefolder%\­csrss.exe"
    • "Host-process Windows (Rundll32.exe)" = "%malwarefilefolder%\­rundll32.exe"
    • "Service Host Process for Windows" = "%malwarefilefolder%\­svchost.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "Client Server Runtime Process" = "%malwarefilefolder%\­csrss.exe"
    • "Host-process Windows (Rundll32.exe)" = "%malwarefilefolder%\­rundll32.exe"
    • "Service Host Process for Windows" = "%malwarefilefolder%\­svchost.exe"

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • smtp.live.com:25
  • smtp.mail.ru:25

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The TCP protocol is used.


The following information is collected:

  • operating system version

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • send gathered information

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­SOFTWARE\­BC Clients]

Please enable Javascript to ensure correct displaying of this content and refresh this page.