Win32/Spy.Agent.OEH [Threat Name] go to Threat

Win32/Spy.Agent.OEH [Threat Variant Name]

Category trojan
Size 235520 B
Detection created May 28, 2013
Detection database version 8386
Aliases Trojan-Spy.Win32.SpyEyes.akyk (Kaspersky)
  Trojan:Win32/Qadars.A (Microsoft)
Short description

Win32/Spy.Agent.OEH is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

A string with variable content is used instead of %variable1-2% .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­%variable1%\­%variable2%.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • netsh.exe
  • firefox.exe
  • chrome.exe
  • iexplore.exe
Information stealing

Win32/Spy.Agent.OEH is a trojan that steals sensitive information.


The trojan collects the following information:

  • the path to specific folders
  • computer name
  • user name
  • operating system version
  • information about the operating system and system settings
  • cookies
  • HTML forms content
  • installed software

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used.


It can execute the following operations:

  • run executable files
  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • shut down/restart the computer
  • modify the content of websites
  • uninstall itself

The trojan hooks the following Windows APIs:

  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Poll (nspr4.dll)
  • PR_Available (nspr4.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • SSLClientSocketNSS::Write (chrome.dll)
  • TCPClientSocket::Write (chrome.dll)

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%variable%}]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.