Win32/Spy.Agent.OAU [Threat Name] go to Threat

Win32/Spy.Agent.OAU [Threat Variant Name]

Category trojan
Size 633850 B
Detection created Sep 30, 2012
Detection database version 10334
Aliases PSW.Agent.BEAM (AVG)
Short description

Win32/Spy.Agent.OAU is a trojan that installs Win32/Spy.Agent.OIJ malware.

Installation

When executed, the trojan creates the following files:

  • c:\­Program Files\­SYSLOG.TXT
  • c:\­Program Files\­Common Files\­ODBC\­CloudUpdate.exe
  • c:\­Program Files\­Common Files\­ODBC\­imjputyc.dll

The trojan may create the following files:

  • c:\­Program Files\­d3dx.ini
  • c:\­Program Files\­Common Files\­ODBC\­svchost.exe
  • c:\­Program Files\­Common Files\­ODBC\­CloudUpdate.nls (Win32/Spy.Agent.OIJ)
  • c:\­Program Files\­Common Files\­ODBC\­0ALqOEc18eQCjOM.tmp

The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Rpc\­SecurityService]
    • "68" = "c:\­Program Files\­Common Files\­ODBC\­CloudUpdate.nls"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­AppMgmt]
    • "ImagePath" = "c:\­Program Files\­Common Files\­ODBC\­CloudUpdate.exe"
    • "Start" = 2
    • "Type" = 32
    • "ErrorControl" = 0
    • "RequiredPrivileges" = "SeCreateGlobalPrivilege;SeImpersonatePrivilege;SeIncreaseQuotaPrivilege;SeShutdownPrivilege;SeTakeOwnershipPrivilege;SeTcbPrivilege;SeAssignPrimaryTokenPrivilege;SeIncreaseQuotaPrivilege"
    • "Description" = "@appmgmts.dll,-3251"
    • "DisplayName"="@appmgmts.dll,-3250"
    • "ObjectName" = "LocalSystem"
    • "FailureActions" = %hexvalue%
    • "DelayedAutoStart" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­AppMgmt\­Parameters]
    • "ServiceDllUnloadOnStop" = 1
    • "ServiceDll" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­AppMgmt\­Security]
    • "Security" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­BITS]
    • "ImagePath" = "c:\­Program Files\­Common Files\­ODBC\­CloudUpdate.exe"
    • "Start" = 2
    • "Type" = 32
    • "ErrorControl" = 0
    • "RequiredPrivileges" = "SeCreateGlobalPrivilege;SeImpersonatePrivilege;SeIncreaseQuotaPrivilege;SeShutdownPrivilege;SeTakeOwnershipPrivilege;SeTcbPrivilege;SeAssignPrimaryTokenPrivilege;SeIncreaseQuotaPrivilege"
    • "Description" = "@appmgmts.dll,-3251"
    • "DisplayName"="@appmgmts.dll,-3250"
    • "ObjectName" = "LocalSystem"
    • "FailureActions" = %hexvalue%
    • "DelayedAutoStart" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­BITS\­Parameters]
    • "ServiceDllUnloadOnStop" = 1
    • "ServiceDll" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­BITS\­Security]
    • "Security" = %hexvalue%
Other information

After the installation is complete, the trojan deletes the original executable file.

Please enable Javascript to ensure correct displaying of this content and refresh this page.