Win32/Agent.YUL [Threat Name] go to Threat

Win32/Agent.YUL [Threat Variant Name]

Category trojan
Size 264704 B
Detection created Apr 12, 2017
Detection database version 15246
Aliases Trojan.MSIL.Agent.fpgi (Kaspersky)
  Trojan.DownLoader24.46571 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %startup%\­app.exe

This causes the trojan to be executed on every system start.

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Application" = "%startup%\­app.exe"

The following files are deleted:

  • %templates%\­Waiting.txt
  • %malwarefilepath%:Zone.Identifier

The trojan quits immediately if it is run within a debugger.

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • avgui
  • avpui
  • avastui
  • PSUAMain
  • bdwtxag
  • bdagent

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan launches the following processes:

  • %system%\­explorer.exe
  • %systemparentfolder%\­SysWOW64\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • video controller type
  • CPU information
  • default Internet browser
  • operating system version
  • information about the infected computer
  • installed antivirus software
  • Microsoft .NET framework version
  • unique identifier of infected computer

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.