{
	"id": "f64f4cc9-c956-4e66-9e23-7d0a459afe1a",
	"created_at": "2026-04-06T00:12:26.9662Z",
	"updated_at": "2026-04-10T13:11:44.686879Z",
	"deleted_at": null,
	"sha1_hash": "9e42753263f89db549ef5204335542b065f08337",
	"title": "Agent.btz - A Threat That Hit Pentagon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47119,
	"plain_text": "Agent.btz - A Threat That Hit Pentagon\r\nArchived: 2026-04-05 12:39:07 UTC\r\nAccording to this publication, the senior military leaders reported the malware breach incident that affected the\r\nU.S. Central Command network, including computers both in the headquarters and in the combat zones.\r\nThe threat involved into this incident is referred as Agent.btz. This is a classification from F-Secure. Other vendors\r\nname this threat mostly as Autorun. Some of the aliases assigned to this threat might seem confusing. There is even\r\na clash with another threat that is also detected as Agent.btz by another vendor – but that's a totally different threat\r\nwith different functionality. This post is about F-Secure-classified Agent.btz – the one that was involved into the\r\naforementioned incident.\r\nAt the time of this writing, ThreatExpert system has received and processed several different samples of this threat\r\n– further referred as Agent.btz. All these builds exhibit common functionality.\r\nAgent.btz is a DLL file. When loaded, its exported function DllEntryPoint() will be called automatically. Another\r\nexported function of this DLL, InstallM(),is called during the initial infection stage, via a command-line parameter\r\nfor the system file rundll32.exe.\r\nInfection Vector\r\nThe infection normally occurs via a removable disk such as thumb drive (USB stick) or any other external hard\r\ndrive. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a\r\nnewly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that\r\nfile. When a clean computer recognizes a newly connected removable drive, it will (by default) detect autorun.inf\r\nfile on it, it will then open it and follow its instruction to load the malware.\r\nAnother infection vector: when a clean computer attempts to map a drive letter to a shared network resource that\r\nhas Agent.atz on it and the corresponding autorun.inf file, it will (by default) open autorun.inf file and follow its\r\ninstruction to load the malware. Once infected, it will do the same with other removable drives connected to it or\r\nother computers in the network that attempt to map a drive letter to its shared drive infected with Agent.atz – hence,\r\nthe replication.\r\nThe autorun.inf file it creates contains the following command to run rundll32.exe:\r\nrundll32.exe .\\\\[random_name].dll,InstallM\r\nFunctionality\r\nWhen Agent.btz DLL is loaded, it will decrypt some of the strings inside its body. Agent.btz file is not packed. The\r\nstrings it decrypts are mostly filenames, API names, registry entries, etc.\r\nAfter decrypting its strings, Agent.btz dynamically retrieves function pointers to the following kernel32.dll APIs:\r\nWriteProcessMemory(), VirtualAllocEx(), VirtualProtectEx(). It will need these APIs later to inject malicious code\r\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nPage 1 of 5\n\ninto Internet Explorer process.\r\nAgent.btz spawns several threads and registers window class \"zQWwe2esf34356d\".\r\nThe first thread will try to query several parameters from the values under the registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\StrtdCfg\r\nSome of these parameters contain such details as time out periods, flags, or the name of the domain from which the\r\nadditional components can be downloaded.\r\nThe first thread will spawn 2 additional threads. One of them will wait for 5 minutes, and then it will attempt to\r\ndownload an encrypted binary from the domain specified in the parameters.\r\nFor example, it may attempt to download the binaries from these locations:\r\nhttp://biznews.podzone.org/update/img0008/[random digits].jpg\r\nor\r\nhttp://worldnews.ath.cx/update/img0008/[random digits].jpg\r\nThe downloaded binary will be saved under the file name $1F.dll into the temporary directory.\r\nOnce the binary is saved, Agent.btz signals its threads with \"wowmgr_is_loaded\" event, saves new parameters into\r\nthe registry values under the key \"StrtdCfg\", loads Internet Explorer process, decrypts the contents of the\r\ndownloaded binary, injects it into the address space of Internet Explorer and then spawn a remote thread in it.\r\nAt the time of this writing the contents of the binary is unknown as the links above are down. Thus, it’s not known\r\nwhat kind of code could have been injected into the browser process. The only assumption can be made here is that\r\nthe remote thread was spawned inside Internet Explorer process in order to bypass firewalls in its attempt to\r\ncommunicate with the remote server.\r\nInstallation\r\nAgent.btz drops its copy into %system% directory by using a random name constructed from the parts of the names\r\nof the DLL files located in the %system% directory.\r\nIt registers itself as an in-process server to have its DLL loaded with the system process explorer.exe. The CLSID\r\nfor the in-process server is also random - it is produced by UuidCreate() API.\r\nThis threat may also store some of its parameters by saving them into the values nParam, rParam or id under the\r\nsystem registry key below:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CrashImage\r\nOn top of that, Agent.btz carries some of its parameters in its own body – stored as an encrypted resource named\r\nCONFIG. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.\r\nFile wmcache.nld\r\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nPage 2 of 5\n\nThe second spawned thread will wait for 10 seconds. Then, it’ll save its parameters and some system information it\nobtains in an XML file %system%\\wmcache.nld.\nThe contents of this file is encoded by XOR-ing it with the following mask:\n1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s\nBelow is the decoded fragment of the XML file, provided as example:\n?xml version=\"1.0\" encoding=\"unicode\"?\u003e\n...\nBesides the basic system information above, Agent.btz contains the code that calls GetAdaptersInfo() and\nGetPerAdapterInfo() APIs in order to query network adapter’s IP and MAC address, IP addresses of the network\nadapter’s default gateway, primary/secondary WINS, DHCP and DNS servers. The collected network details are\nalso saved into the log file.\nFile winview.ocx\nThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.\nThis file is also encrypted with the same XOR mask. Here is the decrypted example contents of that file:\n18:44:44 29.11.2008 Log begin:\n18:44:44 Installing to C:\\WINDOWS\\system32\\[random_name].dll\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\nPage 3 of 5\n\n18:44:44 Copying c:\\windows\\system32\\[threat_file_name].dll to C:\\WINDOWS\\system32\\[random_name].dll (0)\r\n18:44:44 ID: {7761F912-4D09-4F09-B7AF-95F4173120A6}\r\n18:44:44 Creating Software\\Classes\\CLSID\\{7761F912-4D09-4F09-B7AF-95F4173120A6}\r\n18:44:44 Creating Software\\Classes\\CLSID\\{7761F912-4D09-4F09-B7AF-95F4173120A6}\\InprocServer32\\\r\n18:44:44 Set Value C:\\WINDOWS\\system32\\[random_name].dll\r\n18:44:44 Creating SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\\r\n18:44:44 Native Id: 00CD1A40\r\n18:44:44 Log end.\r\nThe thread will be saving its parameters and system information into the aforementioned encrypted XML file in the\r\nloop – once in every 24 hours.\r\nFile mswmpdat.tlb\r\nThe original thread will then attempt to start 2 processes: tapi32d.exe and typecli.exe – these attempts are logged.\r\nWhenever Agent.btz detects a newly connected removable disk, it will also log the device details into the same log\r\nfile %system%\\mswmpdat.tlb.\r\nThe contents of this log file is encrypted the same way – here is the decrypted fragment of it:\r\n18:44:45 29.11.2008 Log begin:\r\n18:44:45 Creating ps C:\\WINDOWS\\system32\\tapi32d.exe (2)\r\n18:44:45 Creating ps C:\\WINDOWS\\system32\\typecli.exe (2)\r\n18:44:45 Log end.\r\n19:02:48 29.11.2008 Log begin:\r\n19:02:49 Media arrived: \"D:\" Label:\"\" FS:FAT SN:00000000\r\n19:02:49 Log end.\r\nIt is not clear what these 2 files are: tapi32d.exe and typecli.exe - the analyzed code does not create them. It is\r\npossible however that the missing link is in the unknown code it injects into Internet Explorer which can potentially\r\ndownload those files.\r\nFiles thumb.db\r\nWhen Agent.btz detects a new drive of the type DRIVE_REMOVABLE (a disk that can be removed from the\r\ndrive), it attempts to create a copy of the file %system%\\1055cf76.tmp in the root directory of that drive as\r\nthumb.db.\r\nIn opposite, if the newly connected drive already contains file thumb.db, Agent.btz will create a copy of that file in\r\nthe %system% directory under the same name. It will then run %system%\\thumb.db as if it was an executable file\r\nand then delete the original thumb.db from the connected drive.\r\nThe analyzed code does not create 1055cf76.tmp, but if it was an executable file downloaded by the code injected\r\ninto Internet Explorer (as explained above), then it would have been passed into other computers under the name\r\nthumb.db. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.\r\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nPage 4 of 5\n\nFiles thumb.dd and mssysmgr.ocx\r\nAgent.btz is capable to create a binary file thumb.dd on a newly connected drive. The contents of this file starts\r\nfrom the marker 0xAAFF1290 and is followed with the individual CAB archives of the files winview.ocx\r\n(installation log), mswmpdat.tlb (activity log), and wmcache.nld (XML file with system information).\r\nWhen Agent.btz detects a new drive with the file thumb.dd on it (system info and logs collected from another\r\ncomputer), it will copy that file as %system%\\mssysmgr.ocx.\r\nThis way, the locally created files do not only contain system and network information collected from the local\r\nhost, but from other compromised host (or hosts) as well.\r\nSource: http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html"
	],
	"report_names": [
		"agentbtz-threat-that-hit-pentagon.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e42753263f89db549ef5204335542b065f08337.pdf",
		"text": "https://archive.orkl.eu/9e42753263f89db549ef5204335542b065f08337.txt",
		"img": "https://archive.orkl.eu/9e42753263f89db549ef5204335542b065f08337.jpg"
	}
}