Win32/Agent.OLJ [Threat Name] go to Threat

Win32/Agent.OLJ [Threat Variant Name]

Category trojan
Size 909312 B
Aliases Trojan.Win32.Genome.ohc (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.BackDoor (McAfee)
Short description

Win32/Agent.OLJ is a trojan that deletes files in specific folders. The file is run-time compressed using Armadillo .

Installation

When executed, the trojan creates the following files:

  • %temp%\­bt%variable%.bat (4286 B)
  • %windir%\­Command\­Command.bat (4286 B)
  • %userprofile%\­startm~1\­Programme\­Autostart\­%variable%.bat (4286 B)
  • C:\­Dokumente und Einstellungen\­All Users\­Startmenü\­Programme\­Autostart\­Command.bat (4286 B)
  • C:\­Programm Files\­bt%variable%.bat (4286 B)

A string with variable content is used instead of %variable% .


The files are then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Winlogon" = "%windir%\­Command\­Command.bat"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­Mouclass]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­Kbdclass]
    • "Start" = 4

The trojan displays the following message:

The following files are deleted:

  • C:\­*.sys
  • C:\­*.bin
  • C:\­*.bat
  • %system%\­bootvid.dll
  • %system%\­explorer.exe
  • %system%\­logon.scr
  • %system%\­logonui.exe
  • %system%\­logonui.exe.manifest
  • %system%\­lsass.exe
  • %system%\­seclogon.dll
  • %system%\­taskmgr.exe
  • %system%\­usrlogon.cmd
  • %system%\­WindowsLogon.manifest
  • %system%\­winlogon.exe
  • %system%\­dllcache\­logon.scr
  • %system%\­dllcache\­logonui.exe
  • %system%\­dllcache\­winlogon.exe
  • %windir%\­bootstat.dat
  • %windir%\­explorer.exe
  • %windir%\­Cursors\­*.*
  • %windir%\­Prefetch\­NTOSBOOT-B00DFAAD.pf
  • %userprofile%\­NTUSER.dat
Other information

The trojan launches the following processes:

  • iexplore.exe www.batch-rockz.dl.am
  • net.exe user "-Sph1nX-" "0wn3d" /add"
  • net.exe localgroup Administratoren "-Sph1nX-" /add
  • net.exe user "Sph1nX - %random%" "%random%" /add
  • net.exe localgroup Administratoren "Sph1nX - %random%" /add
  • shutdown.exe -s -t 30 -c "%username% g0t 0wn3d bY -Sph1nX-"

The following services are disabled:

  • AntiVirService
  • cryptsvc
  • Designs
  • Anmeldedienst

The following programs are terminated:

  • avgnt.exe
  • avguard.exe
  • taskmgr.exe
  • explorer.exe
  • lsass.exe

The trojan displays the following picture:

Please enable Javascript to ensure correct displaying of this content and refresh this page.