Agent.btz

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [1]

ID: S0092
Aliases: Agent.btz
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1022Data EncryptedAgent.btz saves system information into an XML file that is then XOR-encoded.[2]
EnterpriseT1052Exfiltration Over Physical MediumAgent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1]
EnterpriseT1105Remote File CopyAgent.btz attempts to download an encrypted binary from a specified domain.[2]
EnterpriseT1091Replication Through Removable MediaAgent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.[2]
EnterpriseT1016System Network Configuration DiscoveryAgent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[2]
EnterpriseT1033System Owner/User DiscoveryAgent.btz obtains the victim username and saves it to a file.[2]

References