Win32/Exploit.Agent.N [Threat Name] go to Threat
Win32/Exploit.Agent.N [Threat Variant Name]
Category | trojan |
Size | 446882 B |
Aliases | Exploit.Win32.CVE-2012-0158.ax (Kaspersky) |
Exploit-CVE2012-0158!rtf.trojan (McAfee) |
Short description
Win32/Exploit.Agent.N is a trojan that installs Win32/Spy.Zbot.AAU malware.
Installation
The trojan does not create any copies of itself.
Other information
The trojan contains a URL address. It tries to download a file from the address.
The file is saved to one of the following folders:
- %temp%\..\Microsoft\Windows\
- %temp%\..\Application Data\Microsoft\Windows\
- %temp%\
The following filename is used:
- spoolsv.exe (651776 B, Win32/Spy.Zbot.AAU)
The file is then executed. The HTTP protocol is used in the communication.
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Office\%variable%.0\Word\Resiliency\DisabledItems]
- [HKEY_CURRENT_USER\Software\Microsoft\Office\%variable%.0\Word\Resiliency\StartupItems]
A variable numerical value is used instead of %variable% .