Win32/Rootkit.Agent.OBC [Threat Name] go to Threat

Win32/Rootkit.Agent.OBC [Threat Variant Name]

Category trojan
Size 50272 B
Aliases Trojan.MulDrop6.25529 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.


The trojan does not create any copies of itself.

Win32/Rootkit.Agent.OBC replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.

The trojan replaces the following files with a copy of itself or with another malware file:

  • %windir%\­system32\­beep.sys

The following files are dropped:

  • %windir%\­system32\­beep.sys (Win32/Rootkit.Agent.NZJ, 25472 B )
  • %windir%\­system32\­WinSys.dll (Win32/Rootkit.Agent.OBE, 15360 B)

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SoftWare\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

The trojan creates copies of the following files (source, destination):

  • %comspec%, %temp%\­con1866.exe
  • %system%\­drivers\­beep.sys, %windir%\­Help\­intel.chm
  • %windir%\­Help\­intel.chm, %system%\­drivers\­beep.sys
  • %windir%\­Help\­intel.chm, %system%\­drivers\­null.sys
Information stealing

The trojan collects the following information:

  • operating system version
  • memory status
  • CPU information
  • MAC address
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The HTTPS protocol is used in the communication.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • shut down/restart the computer
  • uninstall itself

The trojan may attempt to download files from the Internet.

The file is stored in the following location:

  • %windir%\­Temp\­dd_vcredist%variable%.exe

A string with variable content is used instead of %variable% .

The file is then executed.

The trojan may create the following files:

  • %windir%\­system32\­Client.dll
  • %windir%\­Temp\­memlog
  • %windir%\­Temp\­vmmmlog

The trojan may execute the following commands:

  • %temp%\­con1866.exe /c del %malwarefilepath%

Please enable Javascript to ensure correct displaying of this content and refresh this page.