BAT/Agent.NEM [Threat Name] go to Threat

BAT/Agent.NEM [Threat Variant Name]

Category trojan,worm
Size 470519 B
Aliases Worm.BAT.Agent.dd (Kaspersky)
  Ransom.TeslaCrypt (Symantec)
Short description

BAT/Agent.NEM is a worm which tries to download other malware from the Internet. The worm may create copies of itself on removable drives.


When executed, the worm copies itself in some of the the following locations:

  • %installfolder%\­ServiceUserUpdate.exe
  • %installfolder%\­UserDriveUpdate.exe

The %installfolder% is one of the following strings:

  • %windir%\­ServiceProfiles\­User
  • %appdata%\­Microsoft\­ServiceProfiles\­User

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "UserDriveUpdate" = "%windir%\­system32\­cmd.exe /c start /b %malwarefilepath%"

The worm schedules a task that causes the following file to be executed repeatedly:

  • %installfolder%\­ServiceUserUpdate.exe
  • %installfolder%\­UserDriveUpdate.exe
Information stealing

The worm collects various information related to the operating system.

The worm collects the following information:

  • information about the operating system and system settings
  • computer name
  • volume serial number
  • information about the infected computer

The worm attempts to send gathered information to a remote machine. The HTTP protocol is used in the communication.

Spreading on removable media

The worm searches for files and folders on removable drives.

The worm may create the following folders:

  • %removabledrive%\­.Trash-1000\­info
  • %removabledrive%\­.Trash-1000\­files

The worm attempts to replace the following files with a copy of itself:

  • %removabledrive%\­*.exe
  • %removabledrive%\­disk.inf
  • %removabledrive%\­ntuser.ini
  • %removabledrive%\­.Trash-1000\­info\­disk.trashinfo

The worm creates the following files:

  • %removabledrive%\­System Volume Information.lnk

The file is a shortcut to a malicious file.

The worm searches removable drives for files with the following file extensions:

  • .doc
  • .txt
  • .jpg
  • .rar
  • .wav
  • .lnk

When the worm finds a file matching the search criteria, it overwrites its content.

The extension of the files is changed to:

  • .lnk

The file is a shortcut to a malicious file.

The worm creates copies of the following files (source, destination):

  • %foundfile%, %removabledrive%\­.Trash-1000\­files\­FILE%randomnumber%.%foundfileextension%

A string with variable content is used instead of %randomnumber% .

The worm hides an original file and creates malicious shortcut link.

Other information

The worm contains a URL address.

It tries to download a file from the address.

The file is stored into the following folder:

  • %currentfolder%

The following filename is used:

  • Micro.exe
  • Excel.exe

The file is then executed.

The worm may display a dialog box with the title:

  • Exception 0xc0000005 EXCEPTION_ACCESS_VIOLATION

The dialog box contains the following text:

  • Ошибка при инициализации приложения (0xc0000005). Повторить попытку открытия файла?

Please enable Javascript to ensure correct displaying of this content and refresh this page.