Win32/Spy.Agent.OKG [Threat Name] go to Threat

Win32/Spy.Agent.OKG [Threat Variant Name]

Category trojan,worm
Size 118784 B
Detection created Jun 19, 2014
Detection database version 10038
Aliases Backdoor:Win32/Unskal.A (Microsoft)
Short description

Win32/Spy.Agent.OKG is a worm that spreads via shared folders. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm copies itself into the following location:

  • %appdata%\­AdobeFlashPlayer\­mswinhost.exe (118784 B)

The worm may create the following files:

  • %appdata%\­mskrnl (118784 B)
  • %appdata%\­AdobeFlashPlayer\­Log.txt
  • %appdata%\­AdobeFlashPlayer\­Local.dat
  • %appdata%\­winserv.exe (118784 B)
  • %temp%\­%variable1%.exe (127864 B, "PsExec Tool", Sysinternals, UPX)
  • %temp%\­%variable2%.exe (118784 B)

A string with variable content is used instead of %variable1-3% .

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows NT Service" = "%appdata%\­AdobeFlashPlayer\­mswinhost.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "identifier" = "%variable3%"

Win32/Spy.Agent.OKG is a worm that spreads via shared folders.

The worm tries to copy itself to shared network folders.

The files are then executed on the remote computer.

The worm executes the following commands:

  • net.exe view
  • %temp%\­%variable1%.exe %networkshare% -accepteula -d -c %temp%\­%variable2%.exe
  • %appdata%\­AdobeFlashPlayer\­mswinhost.exe -m %malwarefilepath%
Information stealing

The worm collects the following information:

  • computer name
  • user name
  • operating system version
  • logged keystrokes

The collected information is stored in the following file:

  • %appdata%\­AdobeFlashPlayer\­Log.txt

The worm searches memory of running processes and tries to find following information:

  • credit card information

It avoids processes which contain any of the following strings in their path:

  • lsass.exe
  • spoolsv.exe
  • mysqld.exe
  • services.exe
  • wmiprvse.exe
  • LogonUI.exe
  • taskhost.exe
  • wuauclt.exe
  • smss.exe
  • csrss.exe
  • winlogon.exe
  • alg.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • devenv.exe

The worm attempts to send gathered information to a remote machine.

Other information

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used in the communication.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.