Threat behavior
Backdoor:Win32/Agent.OI is a detection for malware that allows remote access to the infected computer, which includes but is not limited to downloading and uploading files and executing commands.
Installation
Backdoor:Win32/Agent.OI can be loaded by rundll32.exe or installed as a System Service to be loaded into svchost.exe when system starts.
Payload
Allows backdoor access and control
Backdoor:Win32/Agent.OI tries to connect to a remote server to report infection and retrieve commands. We have observed the malware trying to connect to the following servers:
- 62.150.100.135
- 220.241.35.236
- 211.22.80.146
Depending on the commands retrieved, Backdoor:Win32/Agent.OI may be able to:
- Upload files
- Download and execute arbitrary files
- Start CMD shell connection back to a specific IP address and port
- Execute any commands with CMD.EXE and upload the output
Drops log files
Backdoor:Win32/Agent.OI drops log files as <current process>.xxt.
Analysis by Shawn Wang
Prevention
