Win32/Agent.OBA [Threat Name] go to Threat

Win32/Agent.OBA [Threat Variant Name]

Category trojan
Size 103936 B
Detection created Jul 24, 2008
Signature database version 3295
Aliases Trojan.Win32.Agent.xsi (Kaspersky)
  VirTool:WinNT/Rootkitdrv.KD (Microsoft)
  Downloader (Symantec)
Short description

Win32/Agent.OBA installs a backdoor that can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­%variable1%.sys

The trojan may create the following files:

  • %windir%\­srchasst\­%variable2%.lex
  • %windir%\­srchasst\­%variable2%
  • %windir%\­Help\­%variable3%.hlp
  • %windir%\­Help\­%variable3%
  • %windir%\­ime\­%variable4%.dll
  • %windir%\­ime\­%variable4%
  • %windir%\­msagent\­%variable5%.tlb
  • %windir%\­msagent\­%variable5%
  • %windir%\­inf\­%variable6%.pnf
  • %windir%\­inf\­%variable6%
  • %windir%\­msapps\­%variable7%.nfo
  • %windir%\­msapps\­%variable7%
  • %windir%\­system\­%variable8%.drv
  • %windir%\­system\­%variable8%
  • %windir%\­web\­%variable9%.htt
  • %windir%\­web\­%variable9%
  • %windir%\­repair\­%variable10%
  • %temp%\­%variable11%.tmp

A string with variable content is used instead of %variable1-11% .


The trojan executes the following commands:

  • sc.exe stop http
  • sc.exe start http
  • sc.exe create %variable1% type= kernel start= auto binpath= %system%\­drivers\­%variable1%.sys

The trojan can modify the following file:

  • %system%\­esentprf.ini
Information stealing

The trojan collects the following information:

  • default Internet browser
  • operating system version

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (4) URLs. The HTTP protocol is used.

Other information

The trojan may delete the following files:

  • %system%\­msdae32.tlf
  • %system%\­mspab32.tlf
  • %system%\­collector.tlf
  • %system%\­mscheck32.tlf
  • %system%\­msipref.tlb
  • %system%\­msrpref.tlb
  • %windir%\­temp\­{80197681-85B6-4478-BC4D-B178875656D7}.ini
  • %windir%\­devicectrl32.ini

The trojan creates and runs a new thread with its own program code within the following processes:

  • %defaultbrowser%
  • explorer.exe

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

Please enable Javascript to ensure correct displaying of this content and refresh this page.