Win32/Spy.Agent.OYK [Threat Name] go to Threat

Win32/Spy.Agent.OYK [Threat Variant Name]

Category trojan
Size 1065984 B
Detection created Aug 19, 2016
Detection database version 13987
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­translator\­wrlck.cab (258 B)
  • %temp%\­translator\­pdll\­sllauncher.exe (387224 B)
  • %temp%\­translator\­pdll\­oledlg.dll (530432 B, Win32/Spy.Agent.OYK)
  • %temp%\­translator\­srvsvc.exe (442368 B, Win32/Spy.Agent.OYK)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = %temp%\­translator\­pdll\­sllauncher.exe

After the installation is complete, the trojan deletes the original executable file.


The trojan runs the following processes:

  • %temp%\­translator\­pdll\­sllauncher.exe
  • %temp%\­translator\­srvsvc.exe

The trojan executes the following command:

  • cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 & Del "%originalmalwarefilepath%"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer

The trojan executes the following files:

  • %temp%\­translator\­ttyvc.exe
  • %temp%\­translator\­psaux.exe
  • %temp%\­translator\­lsassmy.exe
  • %temp%\­translator\­sasmy.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.