Win32/Spy.Agent.OVP [Threat Name] go to Threat

Win32/Spy.Agent.OVP [Threat Variant Name]

Category trojan
Size 131072 B
Detection created Mar 14, 2016
Detection database version 13176
Aliases DLOADER.Trojan (Dr.Web)
Short description

Win32/Spy.Agent.OVP is a trojan that steals sensitive information.

Installation

When executed, the trojan copies itself into the following location:

  • %startup%\­Sirewa__.cpl

This causes the trojan to be executed on every system start.


The trojan copies itself to the following locations:

  • %appdata%\­Sirewa__.cpl
  • %systemdrive%\­WINDOWS\­system32\­Sirewa__.cpl

The trojan creates and runs a new thread with its own program code within the following processes:

  • firefox.exe
  • iexplore.exe
  • chrome.exe
  • opera.exe
  • navigator.exe
  • safari.exe
  • maxthon.exe

The following files are modified:

  • %startup%\­Mozilla Firefox.lnk
  • %startup%\­Internet Explorer.lnk
  • %startup%\­Google Chrome.lnk
  • %startup%\­Opera.lnk
  • %startup%\­Netscape Navigator.lnk
  • %startup%\­Safari.lnk
  • %startup%\­Maxthon Cloud Browser.lnk
Information stealing

The trojan collects the following information:

  • user name
  • computer IP address
  • screenshots

The trojan is able to log keystrokes.


The collected information is stored in the following file:

  • %appdata%\­87
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • update itself to a newer version
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.