Win32/Spy.Agent.OXM [Threat Name] go to Threat

Win32/Spy.Agent.OXM [Threat Variant Name]

Category trojan
Size 63488 B
Detection created Jun 27, 2016
Detection database version 13713
Short description

Win32/Spy.Agent.OXM serves as a backdoor. It can be controlled remotely.


The trojan is usually a part of other malware.

When executed, the trojan copies itself into the following location:

  • %appdata%\­WinSAT\­WinSAT.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WinSAT" = "%windir%\­System32\­rundll32.exe "%appdata%\­WinSAT\­WinSAT.dll",RunAssessment"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • upload files to a remote computer
  • upload file list
  • delete Registry entries
  • update itself to a newer version

It can send various information about the infected computer.

The trojan keeps various information in the following files:

  • %temp%\­WinSAT.cif
  • %temp%\­WinSAT.scf
  • %appdata%\­WinSAT\­SSL.dat
  • %appdata%\­WinSAT\­SSL.enc
  • %appdata%\­WinSAT\­WinSAT.lst

Please enable Javascript to ensure correct displaying of this content and refresh this page.