{ "id": "e02b18c3-9450-4bf4-b293-d0a6e9e4beea", "created_at": "2026-04-06T00:10:27.862947Z", "updated_at": "2026-04-10T03:37:50.667844Z", "deleted_at": null, "sha1_hash": "14b748d89432b2664c191f778b8d6155cd99d43e", "title": "Agent.BTZ", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78997, "plain_text": "Agent.BTZ\r\nBy Contributors to Wikimedia projects\r\nPublished: 2014-03-03 · Archived: 2026-04-05 22:41:06 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThis article is about the worm. For the Trojan infecting Windows, Android, and other operating systems, see\r\nAgent.AWF.\r\nAgent.BTZ\r\nMalware details\r\nTechnical name\r\nW32/Autorun.worm.dw (McAfee)\r\nWorm:W32/Agent.BTZ(F-Secure)\r\nType Worm\r\nOrigin Russia\r\nTechnical details\r\nWritten in x86 ASM\r\nAgent.BTZ, also named Autorun,\r\n[1][2]\r\n is a computer worm that infects USB flash drives with spyware. A variant\r\nof the SillyFDC worm,[3] it was used in the massive 2008 cyberattack on the US military, infecting 300,000\r\ncomputers.\r\nTechnical description\r\n[edit]\r\nThe Agent.BTZ worm is a DLL file, written in x86-32 assembly language.\r\n[4]\r\n It spreads by creating an\r\nAUTORUN.INF file to the root of each drive with the DLL file.[5] It has the ability \"to scan computers for data,\r\nopen backdoors, and send through those backdoors to a remote command and control server.\"[3]\r\nIn 2008, at a US military base in the Middle East, a USB flash drive infected with Agent.BTZ was inserted into a\r\nlaptop attached to United States Central Command. From there it spread undetected to other systems, both\r\nclassified and unclassified.[6] In order to try to stop the spread of the worm, the Pentagon banned USB drives and\r\nremovable media devices. They also disabled the Windows autorun feature on their computers.[3] The Pentagon\r\nspent nearly 14 months cleaning the worm from military networks.[3]\r\nhttps://en.wikipedia.org/wiki/Agent.BTZ\r\nPage 1 of 2\n\nChinese hackers were thought to be behind the attack because they had used the same code that made up\r\nAgent.BTZ in previous attacks.[7] According to an article in The Economist, \"it is not clear that agent.btz was\r\ndesigned specifically to target military networks, or indeed that it comes from either Russia or China.\"[8] An\r\narticle in the Los Angeles Times reported that US defense officials described the malicious software as \"apparently\r\ndesigned specifically to target military networks.\" It's \"thought to be from inside Russia\", although it was not clear\r\n\"whether the destructive program was created by an individual hacker or whether the Russian government may\r\nhave had some involvement.\"[9]\r\nIn 2010, American journalist Noah Shachtman wrote an article to investigate the theory that the worm was written\r\nby a single hacker.\r\n[3]\r\n Later analyses by Kaspersky Lab found relations to other spyware, including Red October,\r\nTurla, and Flame.\r\n[10]\r\nIn December 2016, the United States FBI and DHS issued a Joint Analysis Report which included attribution of\r\nAgent.BTZ to one or more \"Russian civilian and military intelligence Services (RIS).\"[11]\r\n1. ^ Shevchenko, Sergei (30 November 2008). \"Agent.btz - A Threat That Hit Pentagon\". ThreatExpert Blog.\r\nRetrieved 14 December 2016.\r\n2. ^ \"W32/Autorun.worm.dw - Malware\". McAfee Labs Threat Center. 21 November 2008. Retrieved 14\r\nDecember 2016.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Shachtman, Noah (25 August 2010). \"Insiders Doubt 2008 Pentagon Hack Was\r\nForeign Spy Attack\". Wired. Retrieved 14 December 2016.\r\n4. ^ \"Agent.BTZ - Virus Information\". Panda Security. Retrieved 14 December 2016.\r\n5. ^ \"Worm:W32/Agent.BTZ Description\". F-Secure Labs. Retrieved 14 December 2016.\r\n6. ^ William J. Lynn III. \"Defending a New Domain\". Foreign Affairs. Retrieved 2010-08-25.\r\n7. ^ Leyden, John (20 November 2008). \"US Army bans USB devices to contain worm\". The Register.\r\nRetrieved 14 December 2016.\r\n8. ^ \"The worm turns\". The Economist. 4 December 2008. Retrieved 14 December 2016.\r\n9. ^ Barnes, Julian E. (28 November 2008). \"Pentagon computer networks attacked\". Los Angeles Times.\r\nRetrieved 14 December 2016.\r\n10. ^ Gostev, Alexander (12 March 2014). \"Agent.btz: a Source of Inspiration?\". Securelist. Retrieved 19 May\r\n2020.\r\n11. ^ \"GRIZZLY STEPPE – Russian Malicious Cyber Activity\" (PDF). US CERT. Retrieved 2 March 2017.\r\nSource: https://en.wikipedia.org/wiki/Agent.BTZ\r\nhttps://en.wikipedia.org/wiki/Agent.BTZ\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Agent.BTZ" ], "report_names": [ "Agent.BTZ" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434227, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14b748d89432b2664c191f778b8d6155cd99d43e.pdf", "text": "https://archive.orkl.eu/14b748d89432b2664c191f778b8d6155cd99d43e.txt", "img": "https://archive.orkl.eu/14b748d89432b2664c191f778b8d6155cd99d43e.jpg" } }