S0092: Agent.btz
Analyst context for executives and security teams
Agent.btz matters because it represents a removable-media worm pattern: malware spreading through USB devices, with reported historical infection of U.S. military networks in 2008. For leaders, the practical issue is not just malware cleanup; it is whether Windows environments, restricted networks, and potentially disconnected systems have enforceable controls and evidence around USB use, discovery activity, file transfer, collection, and possible USB-based exfiltration.
Executive priority
Prioritize this as a resilience and governance question for environments where removable media is still permitted or operationally necessary. Executives should ask whether the organization can prove which Windows systems allow USB storage, who used removable devices, what data moved to or from them, and how incident response would contain a worm-like outbreak across segmented or air-gapped areas. This is especially relevant to audit evidence, insider-risk controls, cyber-physical/OT-adjacent workflows that rely on removable media, and budget decisions around endpoint control and logging.
Technical view
The supplied ATT&CK relationships tie Agent.btz to discovery, removable-media propagation, ingress tool transfer, collection via custom archive methods, and USB exfiltration. SOC and IR teams should validate coverage on Windows endpoints for removable-device insertion, file creation or execution from removable paths, autorun-like behavior where applicable, user and network configuration discovery, unusual archive creation, and file movement between hosts and USB media. Because ATT&CK provides no official detection text for this object, detections should be built from the related techniques rather than from a malware-specific analytic claim.
Likely telemetry
- Windows endpoint process execution and command-line logs
- Removable storage insertion, mount, and device identifier events
- File creation, modification, and execution events on removable media
- Endpoint security alerts for worm-like replication or suspicious USB activity
- User logon/session context for systems using removable devices
Detection direction
- Validate whether Windows systems generate searchable events for USB insertion and file writes/executes from removable media.
- Correlate removable-media activity with system owner/user discovery and network configuration discovery to separate routine device use from suspicious staging behavior.
- Look for repeated propagation patterns across multiple hosts using the same removable device or similarly named copied files.
- Tune detections carefully for environments where USB is business-critical, using allowlisted devices, approved users, and expected maintenance workflows to reduce false positives.
- Review for collection indicators such as unusual archive creation before USB transfer, but avoid assuming a specific tool because the relationship is to custom archive methods.
Mitigation priorities
- Start with policy and inventory: identify where removable storage is allowed, prohibited, or operationally required.
- Enforce removable-media controls on Windows endpoints, prioritizing sensitive, regulated, segmented, or operational environments.
- Disable or restrict automatic execution behavior from removable media where applicable.
- Require logging and retention for USB device use, file movement, and endpoint process activity so SOC and IR teams can reconstruct spread and exfiltration paths.
- Apply least privilege and user accountability for systems that handle removable media.
Analyst notes and limits
The object is a malware entry for Agent.btz in the enterprise ATT&CK domain, with Windows as the supplied malware platform and no tactics specified directly on the malware object. Decision value comes from the related techniques: System Network Configuration Discovery, System Owner/User Discovery, Exfiltration over USB, Replication Through Removable Media, Ingress Tool Transfer, and Archive via Custom Method. The official description supports USB/removable-device spread and a reported 2008 U.S. military network infection, but does not support claims about current activity or attribution.
Official detection is not provided. The supplied data does not include indicators, hashes, filenames, command examples, persistence details, or confirmed current exploitation. Platform and tactic statements should be bounded to the malware object and the listed ATT&CK relationships; local telemetry is required to determine actual exposure and detection coverage.
Agent.btz
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Agent.btz obtains the victim username and saves it to a file.CitationThreatExpert Agent.btz |
| Enterprise | T1091 | Replication Through Removable Media | Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.CitationThreatExpert Agent.btz |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.CitationSecurelist Agent.btz |
| Enterprise | T1016 | System Network Configuration Discovery | Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.CitationThreatExpert Agent.btz |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Agent.btz saves system information into an XML file that is then XOR-encoded.CitationThreatExpert Agent.btz |
| Enterprise | T1105 | Ingress Tool Transfer | Agent.btz attempts to download an encrypted binary from a specified domain.CitationThreatExpert Agent.btz |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 702b77ff87ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Agent.btz
Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
Open source URL -
[2]
mitre-attack S0092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.