Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.OBY

Aliases:Trojan.Win32.VB.aahw (Kaspersky), VirTool:Win32/VBInject.gen!CN (Microsoft), Trojan:W32/Agent.NAG (F-Secure) 
Type of infiltration:Trojan  
Size:40960 B 
Affected platforms:Microsoft Windows 
Signature database version:3353 (20080813) 

Short description

Win32/Agent.OBY is a trojan which tries to propagate certain web sites. The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself in the %system% folder using the following name:
  • ntsvc32.exe
In order to be executed on every system start, the modifies the following Registry key:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion]
    "Winlogon" = "%system%ntsvc32.exe"

Other information

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan hooks the following Windows APIs:
  • ZwResumeThread (ntdll.dll)
  • ZwCreateFile (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • InternetReadFile (Wininet.dll)
  • WSARecv (WS2_32.dll)
  • WSASend (WS2_32.dll)
  • ZwResumeThread (ntdll.dll)
  • ZwCreateFile (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • InternetReadFile (Wininet.dll)
  • WSARecv (WS2_32.dll)
  • WSASend (WS2_32.dll)
  • recv (WS2_32.dll)
  • send (WS2_32.dll)
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.