Backdoor w32.agent.aqca

New Trojan that deletes user files. The BACKDOOR W32.AGENTB.AQCA Trojan is classified as a malware of which several cases of infection have been reported in Cuban networks and that deletes the user’s files.


[ hide ]

  • 1 Actions it performs
  • 2 Characteristics of malware
  • 3 Way to proliferate
  • 4 Prevention Method
  • 5 Detection and decontamination
  • 6 Recommendations
  • 7 Sources

Actions it performs

The program deletes all the files of the started user (“C: \ Users \ [logged_user]]), regardless of the format type, including the files on the infected user’s desktop , leaving the folder structure created.

Malware Features

The Trojan has implicit social engineering since the icon of the file is that of a Windows folder , with correlative names of the same operating system or with a letter “x”, including the name of the System itself. Here are the names under which the Trojan can be found:

  • exe
  • exe
  • exe
  • exe
  • exe
  • exe

Keeps the option “Hide file extensions for known file types” active, which shows the executable file simulating a harmless folder.

Way of proliferating

The file makes a copy of itself on all drives in the system, including USB devices connected to the infected computer . The Trojan can create a copy of itself in each folder on any USB drive. However, when you insert a USB device with the Trojan into an uninfected computer, the latter will not be contaminated if the malicious file is not executed. In other words, in order to get infected, you must manually run the file. When executed, it only infects the session of the user who executed it. As part of its infection the file creates 5 more files at the addresses listed below:

  • C: \ Users \ Public \ i.bat
  • C: \ Windows \ System32 \ Tasks \ sjfsdfsjj
  • C: \ Windows \ System32 \ Tasks \ sjfsdfskk
  • C: \ Users \ Public \ Music \ jogo.exe
  • C: \ Users \ Public \ x.exe

The “i.bat” file creates 2 tasks on the system (“sjfsdfsjj” and “sjfsdfskk”) that govern the execution of the next 2 files in the list. Which will govern the behavior of “jogo.exe” and “x.exe”, which are created in the same direction as the list shows. Another one of the files that the malware creates, and that allows it to execute the same Trojan every time the system is started, is the following: C: \ Users \ infected_user \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ x.exe

Prevention method

  • Keep our operating system updated to avoid security flaws.
  • Have a good antivirusproduct installed and always keep it updated.
  • Do not open emailsor files with unknown senders.
  • Avoid browsing unsafe pages or pages with unverified content.

Detection and decontamination

The Security Antivirus detects and decontaminates these files on the PC . Not so Kaspersky , Nod32 , TrendMicro , BitDefender , Avira , McAfee , ClamAV and Avast . It is important to know that deleted files cannot be recovered unless the system is restored or a recovery tool is used.


Segurmatica advises you for this Trojan:

  • Have the option “Hide file extensions for known file types” disabled.
  • Do not trust the folder icons and open them by the tree structure of the file system.
  • Have permanent antivirus protection activated.


Leave a Comment