Win32/Agent.PTA [Threat Name] go to Threat
Win32/Agent.PTA [Threat Variant Name]
Category | trojan |
Size | 129024 B |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\%variable%\juschedg.exe
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "5HB8CEF8-849D-4D51-9B62-AD6468477BB--%variable%" = %localappdata%\%variable%\juschedg.exe"
The trojan may create the following files:
- %localappdata%\%variable%\cf_.bin
- %localappdata%\Apps\conhostd.exe
- %localappdata%\%variable%\tservice.exe
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\TightVNC\Server]
- "AcceptHttpConnections" = 0
- "AcceptRfbConnections" = 1
- "AllowLoopback" = 1
- "LoopbackOnly" = 1
- "RemoveWallpaper" = 0
- "RfbPort" = 37390
- "AlwaysShared" = 1
- "NeverShared" = 0
- "UseVncAuthentication" = 0
- "RunControlInterface" = 0
The trojan creates and runs a new thread with its own program code in all running processes.
Information stealing
Win32/Agent.PTA is a trojan that steals sensitive information.
The trojan collects the following information:
- hardware information
- MAC address
- CPU information
- user name
- list of running processes
The trojan collects sensitive information when the user browses certain web sites.
The following programs are affected:
- Internet Explorer
- Mozilla Firefox
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP (TOR Hidden Services) protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- monitor network traffic
- block access to specific websites
- set up a proxy server
The trojan hooks the following Windows APIs:
- HttpOpenRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)