Win32/Agent.YEV [Threat Name] go to Threat

Win32/Agent.YEV [Threat Variant Name]

Category trojan
Size 1324544 B
Detection created Aug 23, 2016
Detection database version 14006
Aliases Trojan:Win32/Kwampirs.B (Microsoft)
  TR/Kwampirs.kjwd (Avira)
  Trojan.Kwampirs (Symantec)
Short description

Win32/Agent.YEV serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %windir%\­system32\­%variable0%.dll (261120 B)

The trojan registers itself as a system service using the following name:

  • WmiApSrvEx

The %variable0% is one of the following strings:

  • wmiamgmt
  • wmipadp
  • wmiassn
  • wmiadrv
  • wmipdpa

The trojan executes the following command:

  • cmd.exe /c start /b "" rundll32.exe "%windir%\­system32\­%variable0%.dll" ControlTrace -Embedding -k DcomLaunch

The trojan copies itself to the following location:

  • %windir%\­system32\­%variable1%.exe

The %variable1% is one of the following strings:

  • wmipsrvce
  • wmipsvrce
  • wmipsvre
  • wmipvsre
  • wmiprvse

The file is then executed.

Spreading via shared folders

The trojan tries to copy itself into shared folders of machines on a local network.


The trojan generates various IP addresses.


The following names of the shared network folders are used:

  • \­\­%remotecomputer%\­ADMIN$\­system32\­
  • \­\­%remotecomputer%\­C$\­WINDOWS\­system32\­
  • \­\­%remotecomputer%\­D$\­WINDOWS\­system32\­
  • \­\­%remotecomputer%\­E$\­WINDOWS\­system32\­

Its filename is one of the following:

  • wmiapsrve.exe
  • wmiapsrvux.exe
  • wmiapsrvce.exe
  • wmiapsvrce.exe
  • wmiapsvre.exe
  • wmiapvsre.exe
  • wmiaprvse.exe

The trojan registers itself as a system service using the following name:

  • WmiApSrvEx
Information stealing

Win32/Agent.YEV is a trojan that steals sensitive information.


The trojan collects the following information:

  • MAC address
  • operating system version
  • language settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of 200 URL/IP addresses. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan keeps various information in the following files:

  • %windir%\­inf\­ie11.PNF
  • %windir%\­inf\­mtmndkb32.PNF
  • %temp%\­Lb978YTy.tmp
  • %windir%\­inf\­digirps.PNF
  • %windir%\­inf\­mkdiawb3.PNF

The trojan may create the following files:

  • %windir%\­system32\­%variable2%.dll (261120 B)

The %variable2% is one of the following strings:

  • wmiapsrvcep
  • wmiapsvrcep
  • wmiapsvrep
  • wmiapvsrep
  • wmiaprvsep

The trojan may execute the following commands:

  • cmd.exe /c start /b "" rundll32.exe "%windir%\­system32\­%variable2%.dll" ControlTrace -Embedding -k DcomLaunch %variable3%

A string with variable content is used instead of %variable3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.