Win32/Spy.Agent.OKG [Threat Name] go to Threat
Win32/Spy.Agent.OKG [Threat Variant Name]
|Detection created||Jun 19, 2014|
|Signature database version||10038|
Win32/Spy.Agent.OKG is a worm that spreads via shared folders. The worm serves as a backdoor. It can be controlled remotely.
When executed, the worm copies itself into the following location:
- %appdata%\AdobeFlashPlayer\mswinhost.exe (118784 B)
The worm may create the following files:
- %appdata%\mskrnl (118784 B)
- %appdata%\winserv.exe (118784 B)
- %temp%\%variable1%.exe (127864 B, "PsExec Tool", Sysinternals, UPX)
- %temp%\%variable2%.exe (118784 B)
A string with variable content is used instead of %variable1-3% .
In order to be executed on every system start, the worm sets the following Registry entry:
- "Windows NT Service" = "%appdata%\AdobeFlashPlayer\mswinhost.exe"
The following Registry entry is set:
- "identifier" = "%variable3%"
Win32/Spy.Agent.OKG is a worm that spreads via shared folders.
The worm tries to copy itself to shared network folders.
The files are then executed on the remote computer.
The worm executes the following commands:
- net.exe view
- %temp%\%variable1%.exe %networkshare% -accepteula -d -c %temp%\%variable2%.exe
- %appdata%\AdobeFlashPlayer\mswinhost.exe -m %malwarefilepath%
The worm collects the following information:
- computer name
- user name
- operating system version
- logged keystrokes
The collected information is stored in the following file:
The worm searches memory of running processes and tries to find following information:
- credit card information
It avoids processes which contain any of the following strings in their path:
The worm attempts to send gathered information to a remote machine.
The worm creates and runs a new thread with its own program code within the following processes:
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (2) URLs. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
- send gathered information