MSIL/Agent.OUK [Threat Name] go to Threat

MSIL/Agent.OUK [Threat Variant Name]

Category trojan
Size 519680 B
Detection created Feb 20, 2014
Detection database version 9449
Aliases MSIL2.ALYO.trojan (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using .NET Reactor .

Installation

The trojan is usually a part of other malware.


The trojan does not create any copies of itself.


The trojan is usually found in the following folder:

  • %programfiles%\­browser

The trojan runs the following processes:

  • %programfiles%\­browser\­System Scheduler.exe
  • %programfiles%\­browser\­System Idle.exe
  • %programfiles%\­browser\­msiexes.exe

The %programfiles%\browser folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IPSec" = "%programfiles%\­browser\­System Scheduler.exe"
    • "SmartCard" = "%programfiles%\­browser\­System Idle.exe"

This causes the trojan to be executed on every system start.

Information stealing

MSIL/Agent.OUK is a trojan that steals sensitive information.


The trojan collects the following information:

  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (34) URLs. The HTTP protocol is used in the communication.


The network communication with remote computer/server is encrypted.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • open a specific URL address
  • delete files
  • extract RAR archive
  • create Registry entries
  • delete Registry entries
  • send gathered information
  • update itself to a newer version
  • set up an HTTP server
  • redirect network traffic

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableHttp1_1" = 1
    • "ProxyEnable" = "0"
    • "ProxyHttp1.1" = "0"
    • "ProxyServer" = ""

The trojan may execute the following commands:

  • ipconfig /flushdns
  • TASKKILL /F /IM %variable1%
  • REGEDIT /S %variable2%

The trojan can modify the following file:

  • %system%\­drivers\­etc\­hosts

The trojan may affect the behavior of the following applications:

  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Opera
  • Safari

The trojan terminates processes with any of the following strings in the name:

  • dw20

The trojan may create the following files:

  • %malwarepath%\­s.x
  • %malwarepath%\­checker.db.tmp
  • %malwarepath%\­client.db.tmp
  • %malwarepath%\­dbs-ex\­%variable3%.db

A string with variable content is used instead of %variable1-3% .


Trojan requires the Microsoft .NET Framework, XDMessaging .Net Library to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.