Content

Spy-Agent.ba

Type
Trojan
SubType
Trojan
Discovery Date
05/30/2006
Length
varies
Minimum DAT
4773 (05/30/2006)
Updated DAT
5372 (08/28/2008)
Minimum Engine
5.1.00
Description Added
05/30/2006
Description Modified
03/14/2007 4:52 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the trojan drops a DLL (typically named "ipv6monl.dll") in %SystemDir% (typically C:\Windows\System32). Some versions may also place a copy of the originaly executable in %SystemDir%.

The dropped DLL is registered as a Browser Helper Object (BHO), and the following associated registry elements are created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32]
    @="C:\WINDOWS\system32\ipv6monl.dll"

The Windows Firewall settings for Internet Explorer are lowered and browser extensions enabled with the addition of the following values:</

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet"
  • [HKEY_CURRENT_USER\SOFTWARE\Internet Explorer\Main]
    "Enable Browser Extensions"="yes"

Additionally, certain parameters of unknown purpose are stored under this new registry key:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]
    "cmpid"=hex:[data varies]
    "net_insll"=dword:[data varies]
    "worg"=hex:[data varies]
    "info_sze"=hex:[data varies]
    "ino"=hex:[data varies]
    "timeu"=dword:[data varies]
    "h"=dword:[data varies]

Upon launch of Internet Explorer (which loads the BHO) the software attempts to check in with a remote server via HTTP (currently the *.php target the trojan requests is not found)  The software searches for cached username & password pairs previously stored by Internet Explorer. These are copied to a text file (info.txt, see below). Though not observed during analysis, possibly due to the lack of response from the check-in server, it is quite probable that the software would upload the data it collects to a third party.

The software continues to collect new account information as the victim browses the web. Collected data is stored in the following files:

  • %SystemDir%\info.txt
  • %SystemDir%\form.txt

Though not observed during analysis, there are indications that screenshots or other data from the infected system may be stored one or more of the following files:

  • %SystemDir%\shot.bmp
  • %SystemDir%\shot.html
  • %SystemDir%\*.pfx

info.txt - This file contains what appears to be the trojan version, system IP address, country, a unique "CompID" value, and a brief classification of the operating system type. Local email account information from Outlook Express (and likely other versions of Outlook) and stored auto-complete passwords are then appended. An example of the data format (some variable data replaced, indicated by italics):

3.7.77
host: [victim-computer-name]
if1 : 192.168.1.137
United States
CompID: [256-bit hexadecimal value]

Windows NT or later

[email]@[domain].com;[IP address]:OutlokExp [username]::[password]
http://www.[somewebmailservice].com:Auto-Complete-Passwords: [username]::[password]

form.txt - Along with a header similar to info.txt, this file contains username and password information actively gathered from web forms while the trojan is installed. The software records entered form data, along with a time/date stamp. An example of the data format (generated by browsing several websites and using bogus user names and passwords.  Some variable data replaced, indicated by italics):

---------------------------------------------
CompID: [256-bit hexadecimal value]
Ver: 3.7.77
host: [victim-computer-name]
if1 : 192.168.1.137
---------------------------------------------

--------------------------------------------- Wed Mar 14 14:30:48 2007
URL: https://www4.usbank.com/internetBanking/LoginRouter

REQ: requestCmdId=PrivateLogon&USERID=&PSWD=&reqcrda=fake-usbank-user&reqcrdb=myusbankpassword&doubleclick=2

--------------------------------------------- Wed Mar 14 14:31:39 2007
URL: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=
&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=
&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=

Action: https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0&co_partnerid=2&UsingSSL=1
Method: post

Action: https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1
Method: post
userid(text): fake-eBay-userID
pass(password): myebaypassword

Buttons pressed: Sign In Securely >;

REQ: MfcISAPICommand=SignInWelcome&siteid=0&co_partnerId=2&UsingSSL=1&ru=&pp=
&pa1=&pa2=&pa3=&i1=-1&pageType=-1&rtmData=A01%3DgAIANAVBAAAAAAAAQeuuXBB%3BM01%3DAI%3BTC01%3DwAscfTKVEBAAACQDQVAAAAAAAAAknrDyrgA%3BPS%3DT.0&userid=fake-eBay-userID&pass=myebaypassword

Symptoms

Presence of the files and registry entries referenced above. 

Unusal network connections may also be present on the system.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Spy-Agent.ba is a trojan which attempts to steal confidential account information (banking, email, etc.)

 

Characteristics

Characteristics -

Upon execution, the trojan drops a DLL (typically named "ipv6monl.dll") in %SystemDir% (typically C:\Windows\System32). Some versions may also place a copy of the originaly executable in %SystemDir%.

The dropped DLL is registered as a Browser Helper Object (BHO), and the following associated registry elements are created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32]
    @="C:\WINDOWS\system32\ipv6monl.dll"

The Windows Firewall settings for Internet Explorer are lowered and browser extensions enabled with the addition of the following values:</

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet"
  • [HKEY_CURRENT_USER\SOFTWARE\Internet Explorer\Main]
    "Enable Browser Extensions"="yes"

Additionally, certain parameters of unknown purpose are stored under this new registry key:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]
    "cmpid"=hex:[data varies]
    "net_insll"=dword:[data varies]
    "worg"=hex:[data varies]
    "info_sze"=hex:[data varies]
    "ino"=hex:[data varies]
    "timeu"=dword:[data varies]
    "h"=dword:[data varies]

Upon launch of Internet Explorer (which loads the BHO) the software attempts to check in with a remote server via HTTP (currently the *.php target the trojan requests is not found)  The software searches for cached username & password pairs previously stored by Internet Explorer. These are copied to a text file (info.txt, see below). Though not observed during analysis, possibly due to the lack of response from the check-in server, it is quite probable that the software would upload the data it collects to a third party.

The software continues to collect new account information as the victim browses the web. Collected data is stored in the following files:

  • %SystemDir%\info.txt
  • %SystemDir%\form.txt

Though not observed during analysis, there are indications that screenshots or other data from the infected system may be stored one or more of the following files:

  • %SystemDir%\shot.bmp
  • %SystemDir%\shot.html
  • %SystemDir%\*.pfx

info.txt - This file contains what appears to be the trojan version, system IP address, country, a unique "CompID" value, and a brief classification of the operating system type. Local email account information from Outlook Express (and likely other versions of Outlook) and stored auto-complete passwords are then appended. An example of the data format (some variable data replaced, indicated by italics):

3.7.77
host: [victim-computer-name]
if1 : 192.168.1.137
United States
CompID: [256-bit hexadecimal value]

Windows NT or later

[email]@[domain].com;[IP address]:OutlokExp [username]::[password]
http://www.[somewebmailservice].com:Auto-Complete-Passwords: [username]::[password]

form.txt - Along with a header similar to info.txt, this file contains username and password information actively gathered from web forms while the trojan is installed. The software records entered form data, along with a time/date stamp. An example of the data format (generated by browsing several websites and using bogus user names and passwords.  Some variable data replaced, indicated by italics):

---------------------------------------------
CompID: [256-bit hexadecimal value]
Ver: 3.7.77
host: [victim-computer-name]
if1 : 192.168.1.137
---------------------------------------------

--------------------------------------------- Wed Mar 14 14:30:48 2007
URL: https://www4.usbank.com/internetBanking/LoginRouter

REQ: requestCmdId=PrivateLogon&USERID=&PSWD=&reqcrda=fake-usbank-user&reqcrdb=myusbankpassword&doubleclick=2

--------------------------------------------- Wed Mar 14 14:31:39 2007
URL: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=
&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=
&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=

Action: https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0&co_partnerid=2&UsingSSL=1
Method: post

Action: https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1
Method: post
userid(text): fake-eBay-userID
pass(password): myebaypassword

Buttons pressed: Sign In Securely >;

REQ: MfcISAPICommand=SignInWelcome&siteid=0&co_partnerId=2&UsingSSL=1&ru=&pp=
&pa1=&pa2=&pa3=&i1=-1&pageType=-1&rtmData=A01%3DgAIANAVBAAAAAAAAQeuuXBB%3BM01%3DAI%3BTC01%3DwAscfTKVEBAAACQDQVAAAAAAAAAknrDyrgA%3BPS%3DT.0&userid=fake-eBay-userID&pass=myebaypassword

Symptoms

Symptoms -

Presence of the files and registry entries referenced above. 

Unusal network connections may also be present on the system.

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A