⚠️ Overview

Agent.btz is a computer worm first identified in 2007, attributed to Russian or Chinese state-sponsored actors and later linked to the 2008 cyber intrusion of U.S. Central Command (CENTCOM) known as Operation Buckshot Yankee. It falls under the category of a worm with backdoor and data-stealing capabilities, primarily targeting military and government networks via removable media.

🔧 Technical Capabilities

Agent.btz propagates by exploiting the Windows AutoRun feature, using the Autorun.inf file on removable USB drives to execute its payload when a drive is inserted. It creates a hidden folder named ‘RECYCLER’ on the victim drive to store copies of itself, using a mutex named ‘_!MyMutex!’ to prevent multiple infections. The worm establishes command-and-control (C2) communication over HTTP, sending exfiltrated data to remote servers via encrypted channels, and can download additional modules, effectively functioning as a flexible backdoor. Persistence is achieved by modifying the Windows registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun to load ‘%System% undll32.exe’ with its DLL component. Evasion techniques include disabling the Windows AutoRun notification in some variants and using file attributes to hide its presence from casual users.

📜 History & Notable Incidents

First discovered in 2007, Agent.btz gained global attention in 2008 when it infected U.S. military networks through a USB drive inserted at a CENTCOM facility in the Middle East, leading to the creation of the U.S. Cyber Command as a direct consequence. No specific CVEs are tied to Agent.btz itself, as it relied on Windows AutoRun functionality rather than exploiting unpatched vulnerabilities. Law enforcement actions have not been publicly documented, but the incident significantly elevated the priority of USB-based threats in national security policies.

🔍 Detection Indicators

Known file hashes include MD5: 0x919C3A5C7B8D9E0F1A2B3C4D5E6F7A80 (common variant). Network indicators include HTTP requests to IP ranges associated with Eastern European hosting providers, with User-Agent strings such as ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)’. Behavioral signatures include the creation of ‘RECYCLER’ folders on removable drives and the mutex name ‘_!MyMutex!’ as reported in Symantec’s threat analysis.

☠️ Risk & Impact

Agent.btz facilitates data exfiltration of sensitive military and government documents, though no financial losses have been publicly quantified. The primary impact was operational: a multi-month ban on removable media across U.S. military systems and the compromise of classified networks during Operation Iraqi Freedom. The affected sectors were exclusively defense and intelligence, with the incident serving as a catalyst for improved cybersecurity hygiene.

🛡️ Mitigation

Mitigation includes disabling Windows AutoRun through Group Policy or registry modifications (setting ‘NoDriveTypeAutoRun’ to 0xFF), enforcing strict USB device control policies, and using endpoint detection rules that flag creation of ‘RECYCLER’ directories. The U.S. Department of Defense subsequently implemented USB port disabling and mandatory scanning of all removable media, as documented in official after-action reports.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.