MSIL/Spy.Agent.AOC [Threat Name] go to Threat

MSIL/Spy.Agent.AOC [Threat Variant Name]

Category trojan
Size 23552 B
Aliases Trojan-Downloader.MSIL.Small.vju (Kaspersky)
  TrojanSpy:Win32/Skeeyah.A!rfn (Microsoft)
  Infostealer.Limitail (Symantec)
Short description

MSIL/Spy.Agent.AOC is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


The trojan does not create any copies of itself.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"

A string with variable content is used instead of %variable% .

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

The following services are disabled:

  • SharedAccess
  • MpsSvc
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • monitor network traffic
  • modify network traffic
  • redirect network traffic

The trojan opens some TCP ports:

  • 7777
  • 8877

The trojan keeps various information in the following files:

  • %currentfolder%\­configp.txt

The trojan tries to download several files from the Internet.

The files are stored in the following locations:

  • %currentfolder%\­FiddlerCore3dot5.dll
  • %currentfolder%\­Newtonsoft.Json.dll

The following programs are terminated:

  • cmd.exe
  • msconfig.exe
  • regedit.exe
  • procex.exe
  • taskmgr.exe

The trojan may execute the following commands:

  • cmd /c netsh firewall set opmode disable
  • cmd /c netsh advfirewall set allprofiles state off

Please enable Javascript to ensure correct displaying of this content and refresh this page.