Win32/Agent.OGU [Threat Name] go to Threat

Win32/Agent.OGU [Threat Variant Name]

Category trojan
Size 73728 B
Detection created Oct 08, 2008
Detection database version 3505
Aliases Trojan-Dropper.Win32.Small.fxu (Kaspersky)
  TrojanDownloader:Win32/Zolpiq.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


The trojan may create the following files:

  • %programfiles%\­Common Files\­bak.dll
  • %system%\­msimage.dat
  • %temp%\­%variable1%.tmp
  • %temp%\­%variable2%.tmp
  • %system%\­%variable3%.dll
  • %system%\­msimage.dat
  • C:\­recycled\­%variable2%.tmp (73728 B)

The trojan replaces the following files with a copy of itself or with another malware file:

  • %system%\­mspmsnsv.dll
  • %system%\­dllcache\­mspmsnsv.dll

The trojan attempts to modify the following file:

  • %system%\­rtutils.dll

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WmdmPmSN]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "%variable3%" = "%variable3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable3%]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­System32\­svchost.exe -k "%variable3%""
    • "DisplayName" = "%variable3%"
    • "ObjectName" = "LocalSystem"
    • "Description" = "%variable3%"
    • "FailureActions" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable3%\­Parameters]
    • "ServiceDll" = "%system%\­%variable3%.dll"
    • "StubPath" = "%originalfile%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable3%\­Security]
    • "Security" = %hexvalue%

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-3% .

Information stealing

The following information is collected:

  • computer name
  • information about the operating system and system settings

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs.

It can execute the following operations:

  • send files to a remote computer
  • remove itself from the infected computer
  • run executable files
  • download files from a remote computer and/or the Internet

Please enable Javascript to ensure correct displaying of this content and refresh this page.