Win32/Agent.OBS [Threat Name] go to Threat

Win32/Agent.OBS [Threat Variant Name]

Category trojan,worm
Size 228864 B
Detection created Aug 13, 2008
Detection database version 17132
Aliases Trojan.Win32.Mansabo.ako (Kaspersky)
Short description

Win32/Agent.OBS is a worm which tries to download other malware from the Internet. The worm usually contains within the main malware body another malware files. The worm tries to create files on the available remote computers.

Installation

The worm does not create any copies of itself.

Spreading

The worm usually contains the program code of the following malware within:

  • Win32/TrickBot.AK

The worm tries to create files on the available remote computers.


The files are stored in the following locations:

  • \­\­%remotecomputeripaddress%\­C$\­WINDOWS\­%variable1%.exe (115712 B, Win32/TrickBot.AK)

The worm registers file as a system service.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable1%]
    • "DisplayName" = "variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "\­\­.\­C:\­WINDOWS\­%variable1%.exe\­\­.\­C:\­WINDOWS\­%variable2%.exe"
    • "Start" = 3
    • "Type" = 16

A string with variable content is used instead of %variable1-2% .


The file is then remotely executed.

Other information

The worm contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • \­\­%remotecomputeripaddress%\­C$\­WINDOWS\­%variable2%.exe

The files are then executed on the remote computer. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.