Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.OLJ is a trojan that deletes files in specific folders. The file is run-time compressed using Armadillo .
Installation
When executed, the trojan creates the following files:
  • %temp%\bt%variable%.bat (4286 B)
  • %windir%\Command\Command.bat (4286 B)
  • %userprofile%\startm~1\Programme\Autostart\%variable%.bat
    (4286 B)
  • C:\Dokumente und Einstellungen\All Users\Startmen├╝\
    Programme\Autostart\Command.bat (4286 B)
  • C:\Programm Files\bt%variable%.bat (4286 B)
A string with variable content is used instead of %variable% .

The files are then executed.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
    "Winlogon" = "%windir%\Command\Command.bat"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
    Mouclass]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
    Kbdclass]
    "Start" = 4
The trojan displays the following message:
The following files are deleted:
  • C:\*.sys
  • C:\*.bin
  • C:\*.bat
  • %system%\bootvid.dll
  • %system%\explorer.exe
Other information
The trojan launches the following processes:
  • iexplore.exe www.batch-rockz.dl.am
  • net.exe user "-Sph1nX-" "0wn3d" /add"
  • net.exe localgroup Administratoren "-Sph1nX-" /add
  • net.exe user "Sph1nX - %random%" "%random%" /add
  • net.exe localgroup Administratoren "Sph1nX - %random%" /add
  • shutdown.exe -s -t 30 -c "%username% g0t 0wn3d bY -Sph1nX-"
The following services are disabled:
  • AntiVirService
  • cryptsvc
  • Designs
  • Anmeldedienst
The following programs are terminated:
  • avgnt.exe
  • avguard.exe
  • taskmgr.exe
  • explorer.exe
  • lsass.exe
The trojan displays the following picture: