Content

Spy-Agent.bw

Type
Trojan
SubType
Win32
Discovery Date
08/20/2007
Length
Varies
Minimum DAT
4985 (03/15/2007)
Updated DAT
6458 (09/03/2011)
Minimum Engine
5.4.00
Description Added
03/15/2007
Description Modified
09/17/2010 3:14 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update September 17, 2010 --

File Information

  • MD5  -  5FB94EEF8BD57FE8E20CCC56E33570C5
  • SHA  - 19BEB9F13E1428CDB368241B72297743684A8879

Aliases

  • Ikarus         - Trojan.Crypt
  • NOD32       - Win32/Spy.Zbot.JF
  • Symantec   - Trojan.Zbot
  • TrendMicro - TROJ_ZBOT.WAH

Upon execution, the Trojan drops the following file into the system.

  • %Windir%\system32\ntos.exe [Hidden]

The following registry value has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
    UID = "%ComputerName_Machine specific ID%"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
    {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

The Trojan disables the windows firewall by adding the following value to the registry keys:

  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
    “EnableFirewall” = “0x00000000”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
    “EnableFirewall” = “0x00000000”

The following registry values have been modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    Userinit: = "%Windir%\system32\ntos.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------------------------------------------------

-- Update February 18, 2010 --

A new variant of this threat is being used to steal financial information from infected machines. This new variant shows the following behavior:

The files and directories below were created:

  • %WINDDIR%\system32\lowsec\local.ds (data file)
  • %WINDDIR%\system32\lowsec\user.ds (data file)
  • %WINDDIR%\system32\lowsec\user.ds.lll (data file)
  • %WINDDIR%\system32\sdra64.exe (Spy-Agent.bw)

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

The malware inject its malicious code into the Winlogon.exe process. It also add the following registry key to run again after reboot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDDIR%\system32\userinit.exe,%WINDDIR%\system32\sdra64.exe,"

The Windows firewall is disabled.

The following key is created with the Windows name of the infected machine:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"

The registry keys below are created:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

The malware tries to download  a file with extension .BIN from one of the following locations:

  • update[removed].com
  • goo[removed].net
  • oia[removed].ru
  • base[removed].com
  • nolif[removed].net
  • lake777.[removed].net

 

-- Update March 26, 2009 ---

  • New variants have been observed in attachments of spoofed emails. These emails appear to come from DHL and are regarding a missed shipment. The subject line may contain a falsified tracking ID.

    -- Update December 2, 2008 --

    A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).

    Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.

    Detection for these variants is included in todays 5452 DAT package.

    An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx

     

     -- Update August 19, 2008 --

    Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.

    Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.

    Detection for this new variant will be included in todays 5364 DATs.

     -- Update August 18, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.

    Upon execution, a new variant creates the following file:

    • C:\​WINDOWS\​system32\​ntos.exe (Spy-Agent,bw)

    It changes the following registry key:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe

    -- Update August 04, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

    Upon execution, a new variant creates the following hidden files and hidden folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • winlogon.exe

    It can connect to the following website to communicate stolen data, log actions and receive instructions:

    • ahleinaks.ru

    -- Update July 21, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

    It can connect to the following website to communicate stolen data, log actions and receive instructions:

    • blatundalqik.ru

    -- Update May 13, 2008 --

    Upon execution, a new variant creates the following hidden files and hidden folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • winlogon.exe

    It can connect to the following site to communicate stolen data, log actions and receive instructions:

    • razvlekalovo.net

    -- Update August 20, 2007 --


    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
    --

    A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

    Upon execution, it creates the following files and folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = <PATH Spy-Agent.bw to>
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • svchost.exe
    • winlogon.exe

    It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:

    • recruiter.monster.com
    • hiring.monster.com

    Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

    • http://195.189.{blocked}/mnstr/grabv2.php?getid=1
    • http://195.189.{blocked}/spmv3.php?sendlog=
    • http://195.189.{blocked}/mnstr/grabv2.php
    • http://195.189.{blocked}/pmv3.php?sentmailz=

    Sends spam e-mails via the following SMTP server:

    • smtp.bizmail.yahoo.com

     

Symptoms

  • Presence of file(s) and registry key(s) as previously mentioned.
  • Unexpected network connections to the mentioned site(s).

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

  • Kneber
  • Zeus

All Information

Overview -

Update: February 22, 2010

McAfee Labs has posted a "Kneber" FAQ here

-----------------------------------------

A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Infostealer.Monstres (Symantec)

Characteristics

Characteristics -

-- Update September 17, 2010 --

File Information

  • MD5  -  5FB94EEF8BD57FE8E20CCC56E33570C5
  • SHA  - 19BEB9F13E1428CDB368241B72297743684A8879

Aliases

  • Ikarus         - Trojan.Crypt
  • NOD32       - Win32/Spy.Zbot.JF
  • Symantec   - Trojan.Zbot
  • TrendMicro - TROJ_ZBOT.WAH

Upon execution, the Trojan drops the following file into the system.

  • %Windir%\system32\ntos.exe [Hidden]

The following registry value has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
    UID = "%ComputerName_Machine specific ID%"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
    {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

The Trojan disables the windows firewall by adding the following value to the registry keys:

  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
    “EnableFirewall” = “0x00000000”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
    “EnableFirewall” = “0x00000000”

The following registry values have been modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    Userinit: = "%Windir%\system32\ntos.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------------------------------------------------

-- Update February 18, 2010 --

A new variant of this threat is being used to steal financial information from infected machines. This new variant shows the following behavior:

The files and directories below were created:

  • %WINDDIR%\system32\lowsec\local.ds (data file)
  • %WINDDIR%\system32\lowsec\user.ds (data file)
  • %WINDDIR%\system32\lowsec\user.ds.lll (data file)
  • %WINDDIR%\system32\sdra64.exe (Spy-Agent.bw)

(Where %WINDIR refers to the directory where Windows is installed. For Windows XP, this usually means C:\Windows)

The malware inject its malicious code into the Winlogon.exe process. It also add the following registry key to run again after reboot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDDIR%\system32\userinit.exe,%WINDDIR%\system32\sdra64.exe,"

The Windows firewall is disabled.

The following key is created with the Windows name of the infected machine:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"

The registry keys below are created:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

The malware tries to download  a file with extension .BIN from one of the following locations:

  • update[removed].com
  • goo[removed].net
  • oia[removed].ru
  • base[removed].com
  • nolif[removed].net
  • lake777.[removed].net

 

-- Update March 26, 2009 ---

  • New variants have been observed in attachments of spoofed emails. These emails appear to come from DHL and are regarding a missed shipment. The subject line may contain a falsified tracking ID.

    -- Update December 2, 2008 --

    A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).

    Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.

    Detection for these variants is included in todays 5452 DAT package.

    An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx

     

     -- Update August 19, 2008 --

    Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.

    Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.

    Detection for this new variant will be included in todays 5364 DATs.

     -- Update August 18, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.

    Upon execution, a new variant creates the following file:

    • C:\​WINDOWS\​system32\​ntos.exe (Spy-Agent,bw)

    It changes the following registry key:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe

    -- Update August 04, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

    Upon execution, a new variant creates the following hidden files and hidden folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • winlogon.exe

    It can connect to the following website to communicate stolen data, log actions and receive instructions:

    • ahleinaks.ru

    -- Update July 21, 2008 --

    A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

    It can connect to the following website to communicate stolen data, log actions and receive instructions:

    • blatundalqik.ru

    -- Update May 13, 2008 --

    Upon execution, a new variant creates the following hidden files and hidden folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • winlogon.exe

    It can connect to the following site to communicate stolen data, log actions and receive instructions:

    • razvlekalovo.net

    -- Update August 20, 2007 --


    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
    --

    A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

    Upon execution, it creates the following files and folder:

    • %Windir%\System32\wsnpoem\ (folder)
    • %Windir%\System32\wsnpoem\audio.dll (data file)
    • %Windir%\System32\wsnpoem\video.dll (data file)
    • %Windir%\System32\ntos.exe (Spy-Agent.bw)

    (Where %Windir% is the Windows folder; C:\Windows)

    The following registry keys are modified/added :

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = <PATH Spy-Agent.bw to>
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

    The trojan inject its malcode to the following process:

    • svchost.exe
    • winlogon.exe

    It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:

    • recruiter.monster.com
    • hiring.monster.com

    Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

    • http://195.189.{blocked}/mnstr/grabv2.php?getid=1
    • http://195.189.{blocked}/spmv3.php?sendlog=
    • http://195.189.{blocked}/mnstr/grabv2.php
    • http://195.189.{blocked}/pmv3.php?sentmailz=

    Sends spam e-mails via the following SMTP server:

    • smtp.bizmail.yahoo.com

     

Symptoms

Symptoms -

  • Presence of file(s) and registry key(s) as previously mentioned.
  • Unexpected network connections to the mentioned site(s).

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

  • Kneber
  • Zeus