Win32/Agent.QBU [Threat Name] go to Threat

Win32/Agent.QBU [Threat Variant Name]

Category trojan
Size 180066 B
Aliases Backdoor.Win32.Webdor.dl (Kaspersky)
  BDS/Webdor.dl (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed the trojan copies itself in the following locations:

  • %startup%\­taskseng.exe
  • %commonstartup%\­taskseng.exe

This causes the trojan to be executed on every system start.

Information stealing

Win32/Agent.QBU is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • the path to specific folders

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 5 URLs. The HTTP, HTTPS protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • sending various information about the infected computer
  • execute shell commands
  • remove itself from the infected computer

The trojan executes the following commands:

  • net.exe localgroup Administrators
  • net.exe localgroup Administradores
  • net.exe group "Domain Admins" /domain
  • net.exe group "Admins. do Dominio" /domain

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­AV\­Metabase]

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.