Win32/Spy.Agent.OAB [Threat Name] go to Threat

Win32/Spy.Agent.OAB [Threat Variant Name]

Category trojan
Size 286720 B
Detection created Jul 18, 2012
Detection database version 7308
Aliases PWS:Win32/Fireming.A.dll (Microsoft)
Short description

Win32/Spy.Agent.OAB is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.


The trojan is usually a part of other malware.

The trojan does not create any copies of itself.

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.

Information stealing

Win32/Spy.Agent.OAB is a trojan that steals sensitive information.

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • POP3 account information
  • operating system version
  • computer IP address
  • network adapter information
  • type of Internet connection
  • screenshots
  • digital certificates
  • Microsoft Outlook account data

The trojan collects information used to access certain sites.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • log keystrokes
  • run executable files
  • terminate running processes
  • shut down/restart the computer
  • send gathered information

The trojan may create the following files:

  • %system%\­hlst.tmp
  • %system%\­perfz9368.dat
  • %system%\­perfc7683
  • %system%\­
  • %system%\­perfc5932.dat
  • %system%\­mmd109en.dat
  • %system%\­l00834.dat
  • %system%\­prt.dat
  • %temp%\­cm.dat
  • %temp%\­c1h9e4c7k8.cmp
  • %temp%\­sck236jnx.dat

The trojan opens a random TCP port.

The trojan may delete the following files:

  • boot.ini
  • ntldr

The trojan hooks the following Windows APIs:

  • CreateFileW (kernel32.dll)
  • PFXImportCertStore (crypt32.dll)
  • InternetConnect (wininet.dll)
  • HttpOpenRequest (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileEx (wininet.dll)
  • InternetSetStatusCallback (wininet.dll)
  • RegEnumValueW (advapi32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.