Win32/Rootkit.Agent.OAH [Threat Name] go to Threat

Win32/Rootkit.Agent.OAH [Threat Variant Name]

Category trojan
Size 1219584 B
Aliases Trojan.Inject.15225 (Dr.Web)
  Rootkit-Agent.FN (AVG)
Short description

Win32/Rootkit.Agent.OAH serves as a backdoor. It can be controlled remotely.


When executed, the trojan creates the following files:

  • %appdata%\­Sun\­Java\­jusched.exe
  • %appdata%\­Sun\­Java\­Hooks.dll

The trojan executes the following files:

  • %appdata%\­Sun\­Java\­jusched.exe

The trojan schedules a task that causes the following file to be executed on every system start:

  • %appdata%\­Sun\­Java\­jusched.exe

The trojan removes system restore points.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

It tries to connect to the remote machine on port:

  • 3732

The trojan contains a list of (3) URLs. The TCP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • various filesystem operations
  • send the list of running processes to a remote computer
  • terminate running processes
  • steal sensitive information
  • shut down/restart the computer
  • capture webcam video/voice
  • capture screenshots
  • upload files to a remote computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.