Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.OGA

Aliases:Trojan-Dropper.Win32.Agent.clxl (Kaspersky), TrojanDropper:Win32/Dunik!rts (Microsoft), Trojan.MulDrop1.40321 (Dr. Web)  
Type of infiltration:Trojan  
Size:85504 B 
Affected platforms:Microsoft Windows 
Signature database version:3480 (20080929) 

Short description

The trojan program is designed to deliver various advertisements to the user's systems. The file is run-time compressed using UPX.

Installation

When executed, the trojan creates the following files:
  • %system%sysintm.dll (32256 B, Win32/Agent.OGA)
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "AppInit_DLLs" = "sysintm.dll"
    "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREIntMayak]
    "Config" = %variable%
The %variable% represents a random number.

This way the trojan ensures that the libraries with the following names will be injected into all running processes:
  • %system%sysintm.dll

Other information

The trojan program is designed to deliver various advertisements to the user's systems.

The trojan creates and runs a new thread with its own program code within the following processes:
  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe
  • opera.exe
  • safari.exe
The trojan hooks the following Windows APIs:
  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • ioctlsocket (ws2_32.dll)
  • select (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • ioctlsocket (ws2_32.dll)
  • select (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASocketW (ws2_32.dll)
  • WSAConnect (ws2_32.dll)
  • WSAWaitForMultipleEvents (ws2_32.dll)
  • WSAGetOverlappedResult (ws2_32.dll)
  • WSACreateEvent (ws2_32.dll)
  • WSACloseEvent (ws2_32.dll)
  • WSASetEvent (ws2_32.dll)
  • WSAResetEvent (ws2_32.dll)
  • WSAAsyncSelect (ws2_32.dll)
  • WSAEnumNetworkEvents (ws2_32.dll)
  • WSAEventSelect (ws2_32.dll)
When the user enters certain keywords into the browser, the trojan opens certain URLs related to them.

The following keywords are monitored:
  • odnoklasniki.ru
  • odnoklassniki.ru
  • vkontakte.ru
The trojan opens the following URLs:
  • http://91.213.174.36/promo/odnkl/
  • http://91.213.174.36/promo/vk/