Agent.AUM is a trojan that drops and executes several other malware files onto the computer system.
In general, trojan droppers are usually standalone programs that drop different types of standalone malware (trojans, worms, backdoors) to a system. A typical trojan dropper is a file that contains a few other files compressed inside its body. When a trojan dropper is run, it extracts all files it contains to a folder (usually temporary folder) and runs all of them simultaneously.
Aside from being a dropper, this trojan also has the ability to steal usernames, passwords, and other system information from the victim's computer.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Agent.AUM is a Themida packed trojan that arrives on the system with the filename of Windows Genuine Advantage Patch.exe.
Upon execution, it drops the following files in the Windows System directory:
It checks the existence of the following mutex to ensure that there's only one instance of itself running in memory:
In creates the following autostart registry entry:
It also creates the following registry entry to allow itself to bypass the Windows Firewall:
It modifies the following registry keys:
- and changes them it to:
This is done in order to prevent the user from successfully booting into Safe Mode.
This trojan tries to steal user account names and passwords of the following known applications:
It also tries to get system information such as:
Agent.AUM also attempts to log keystroke events and saves them to the following file located at the Windows folder:
Below is an example of the HKR32.ASM file. It shows the user's logged keystrokes: