Win32/Spy.Agent.OIJ [Threat Name] go to Threat

Win32/Spy.Agent.OIJ [Threat Variant Name]

Category trojan
Size 45056 B
Detection created Feb 19, 2014
Detection database version 9444
Aliases HB_OLGM-43 (TrendMicro)
Short description

Win32/Spy.Agent.OIJ is a trojan that steals sensitive information. The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is usually a part of other malware with name Win32/Spy.Agent.OAU .


When executed, the trojan creates the following files:

  • %commonappdata%\­360safedriver.DAT
  • %commonappdata%\­360shadu.DAT
  • c:\­Windows\­System\­MSCONFIG.DLL
  • c:\­Windows\­System\­360safe.drv
  • c:\­Windows\­System\­360safe.drv
  • c:\­Program Files\­360\­360Safe\­360ss2.dat

Installs the following system drivers (path, name):

  • %commonappdata%\­360safedriver.DAT, MMSYSTEM

The trojan creates copies of the following files (source, destination):

  • c:\­Program Files\­d3dx.ini, c:\­Windows\­System\­cdrom.sys
  • c:\­Program Files\­SYSLOG.TXT, C:\­Program Files\­Common Files\­MSCONFIG.INC

The trojan moves the following files (source, destination):

  • %commonappdata%\­360safedriver.DAT, %temp%\­360safedriver.DAT
  • %temp%\­360safedriver.DAT, %commonappdata%\­360safedriver.DAT
  • C:\­windows\­system\­MSCONFIG.DLL, %temp%\­~@ms%variable%.tmp

A string with variable content is used instead of %variable% .


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Cdrom]
    • "Start" = 1
    • "ErrorControl" = 0
    • "ImagePath" = " c:\­Windows\­System\­cdrom.sys"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­Microsoft]
    • "comp"="1"
    • "pw"=  "%variable%"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • wininit.exe

The trojan attempts to delete the following files:

  • %windir%\­system32\­drivers\­mp11*.sys
  • %temp%\­~@ms%variable%.tmp
  • C:\­Windows\­System\­MSCONFIG.DLL
Information stealing

Win32/Spy.Agent.OIJ is a trojan that steals sensitive information.


The trojan collects the following information:

  • data from the clipboard
  • screenshots
  • installed Microsoft Windows patches
  • network adapter information
  • user name
  • computer name
  • list of disk devices and their type
  • list of running processes
  • Windows Protected Storage passwords and credentials
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • the list of installed software
  • information about the operating system and system settings
  • sent IM messages

The trojan is able to log keystrokes.


The collected information is stored in the following folders:

  • %temp%\­~ÇBC47\­
  • %temp%\­~ÇBFEB\­
  • %temp%\­~ÇBB16\­
  • %temp%\­~ÇCE2E\­
  • %temp%\­~ÇB4D8\­
  • %temp%\­~ÇB5D9\­
  • %temp%\­~ÇB61F\­
  • %temp%\­~ÇB5BE\­
  • %temp%\­~ÇB5BD\­
  • %temp%\­~ÇCE14\­
  • %temp%\­~ÇC343\­

The trojan may create the following files:

  • %TEMP%/~@UwKJ.avi
  • %temp%\­~@fatHj%variable%.exe

A string with variable content is used instead of %variable% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


Configuration is stored in the following file:

  • %malwarefilepath%

It can execute the following operations:

  • capture webcam video/voice
  • log keystrokes
  • capture screenshots
  • retrieve information from protected storage and send it to the remote computer
  • send gathered information

Win32/Spy.Agent.OIJ is a trojan that can interfere with the operation of certain applications.


The trojan interferes with the operation of some security applications to avoid detection.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.