Win32/Rootkit.Agent.OCL [Threat Name] go to Threat

Win32/Rootkit.Agent.OCL [Threat Variant Name]

Category trojan
Size 2637824 B
Aliases Trojan.NtRootKit.19689 (Dr.Web)
Short description

Win32/Rootkit.Agent.OCL is a trojan designed to deliver various malware to the user's systems. The file is run-time compressed using Enigma .


The trojan does not create any copies of itself.

Win32/Rootkit.Agent.OCL replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.

The trojan stores the first sector of the original MBR in sector 2 of the new MBR.

The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe
  • explorer.exe
  • svchost.exe
Other information

The trojan tries to download and execute several files from the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

The trojan may create the following files:

  • %systemroot%\­Temp\­conhost.exe

The trojan keeps various information in the following files:

  • %systemroot%\­Temp\­ntuser.dat

The trojan interferes with the operation of some security applications to avoid detection.

The following programs are terminated:

  • 360rps.exe
  • 360sd.exe
  • 360tray.exe
  • KSafeTray.exe
  • QQPCRTP.exe
  • Rtvscan.exe
  • avastsvc.exe
  • avengine.exe
  • avgnt.exe
  • avgrsa.exe
  • avgui.exe
  • avp.exe
  • avscan.exe
  • bdagent.exe
  • ccSvcHst.exe
  • dwarkdaemon.exe
  • dwengine.exe
  • egui.exe
  • ekrn.exe
  • mcshield.exe
  • mcsvhost.exe
  • mfefire.exe
  • mfemms.exe
  • msmpeng.exe
  • msseces.exe
  • nissrv.exe
  • nod32krn.exe
  • safedogguardcenter.exe
  • superkiller.exe
  • systemaidbox.exe
  • v3medic.exe
  • v3svc.exe
  • vssery.exe
  • wdswfsafe.exe
  • zhudongfangyu.exe

The trojan can modify network traffic.

The following programs are affected:

  • Mcshield.exe
  • avastui.exe
  • bdagent.exe
  • inst.exe
  • instup.exe
  • ksafe.exe
  • liveupdate360.exe
  • mcuicnt.exe
  • qqpctray.exe
  • smsvchost.exe
  • updatasrv.exe
  • v3main.exe

It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.