Win32/Agent.OGA [Threat Name] go to Threat

Win32/Agent.OGA [Threat Variant Name]

Category trojan
Size 85504 B
Detection created Sep 29, 2008
Detection database version 3480
Aliases Trojan-Dropper.Win32.Agent.clxl (Kaspersky)
  TrojanDropper:Win32/Dunik!rts (Microsoft)
  Trojan.MulDrop1.40321 (Dr.Web)
Short description

The trojan program is designed to deliver various advertisements to the user's systems. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %system%\­sysintm.dll (32256 B, Win32/Agent.OGA)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "sysintm.dll"
    • "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­IntMayak]
    • "Config" = %variable%

The %variable% represents a random number.


This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­sysintm.dll
Other information

The trojan program is designed to deliver various advertisements to the user's systems.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe
  • opera.exe
  • safari.exe

The trojan hooks the following Windows APIs:

  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • ioctlsocket (ws2_32.dll)
  • select (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASocketW (ws2_32.dll)
  • WSAConnect (ws2_32.dll)
  • WSAWaitForMultipleEvents (ws2_32.dll)
  • WSAGetOverlappedResult (ws2_32.dll)
  • WSACreateEvent (ws2_32.dll)
  • WSACloseEvent (ws2_32.dll)
  • WSASetEvent (ws2_32.dll)
  • WSAResetEvent (ws2_32.dll)
  • WSAAsyncSelect (ws2_32.dll)
  • WSAEnumNetworkEvents (ws2_32.dll)
  • WSAEventSelect (ws2_32.dll)

When the user enters certain keywords into the browser, the trojan opens certain URLs related to them.


The following keywords are monitored:

  • odnoklasniki.ru
  • odnoklassniki.ru
  • vkontakte.ru

The trojan opens the following URLs:

  • http://91.213.174.36/promo/odnkl/
  • http://91.213.174.36/promo/vk/

Please enable Javascript to ensure correct displaying of this content and refresh this page.