Win32/Agent.OBA [Threat Name] go to Threat
Win32/Agent.OBA [Threat Variant Name]
Category | trojan,worm |
Size | 103936 B |
Aliases | Trojan.Win32.Agent.xsi (Kaspersky) |
VirTool:WinNT/Rootkitdrv.KD (Microsoft) | |
Downloader (Symantec) |
Short description
Win32/Agent.OBA installs a backdoor that can be controlled remotely. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %system%\drivers\%variable1%.sys
The trojan may create the following files:
- %windir%\srchasst\%variable2%.lex
- %windir%\srchasst\%variable2%
- %windir%\Help\%variable3%.hlp
- %windir%\Help\%variable3%
- %windir%\ime\%variable4%.dll
- %windir%\ime\%variable4%
- %windir%\msagent\%variable5%.tlb
- %windir%\msagent\%variable5%
- %windir%\inf\%variable6%.pnf
- %windir%\inf\%variable6%
- %windir%\msapps\%variable7%.nfo
- %windir%\msapps\%variable7%
- %windir%\system\%variable8%.drv
- %windir%\system\%variable8%
- %windir%\web\%variable9%.htt
- %windir%\web\%variable9%
- %windir%\repair\%variable10%
- %temp%\%variable11%.tmp
A string with variable content is used instead of %variable1-11% .
The trojan executes the following commands:
- sc.exe stop http
- sc.exe start http
- sc.exe create %variable1% type= kernel start= auto binpath= %system%\drivers\%variable1%.sys
The trojan can modify the following file:
- %system%\esentprf.ini
Information stealing
The trojan collects the following information:
- default Internet browser
- operating system version
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (4) URLs. The HTTP protocol is used.
Other information
The trojan may delete the following files:
- %system%\msdae32.tlf
- %system%\mspab32.tlf
- %system%\collector.tlf
- %system%\mscheck32.tlf
- %system%\msipref.tlb
- %system%\msrpref.tlb
- %windir%\temp\{80197681-85B6-4478-BC4D-B178875656D7}.ini
- %windir%\devicectrl32.ini
The trojan creates and runs a new thread with its own program code within the following processes:
- %defaultbrowser%
- explorer.exe
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files