Content

Spy-Agent.bf

Type
Trojan
SubType
Win32
Discovery Date
08/10/2006
Length
Minimum DAT
4826 (08/10/2006)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.1.00
Description Added
08/10/2006
Description Modified
09/13/2006 6:04 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Files Added

  • %WINDIR%\temp\[random].exe - Detected as Qdial-45
  • c:\program files\common files\system\[random].exe - EFS encrypted file.

Registry

Random service registry key is created

  • hkey_local_machine\system\currentcontrolset\services\[random]
    Following random values are also added. Note that the description and object name also varies with each variant.
    • imagepath="C:\Program Files\Common Files\System\[random].exe"
    • description="Maintains links between NTFS files within a
      computer or across computers in a network domain."
    • hkey_local_machine\system\currentcontrolset\services\sysyny
      \objectname=".\tLLgOOA"

The trojan creates a user account (random name and password) with administrative privileges.

The service runs the encrypted binary as the newly created user with a random password and possibly some parameters.  The service remains stopped until it is started by the trojan in regular intervals. It cannot be manually started. The encrypted file is a downloader that may download newer packed variants of the trojan to the system.

The trojan contacts following sites to download its updated copies and updates of Qdial-45.

  • shiptrop.com/pic.gif[blocked]
  • 195.225.176.85/pic.gif[blocked]
  • 195.225.177.22/pic.gif[blocked]

    It also sets various security policies so that the random user account cannot be accessed locally and can only be run as a service. In the following image the random account name "HcX" is added to various security settings.


     

    • Symptoms

    Unusual modem activity, presense of aformentioned files and registry keys and presence of random user with administrative priviliges as shown by "secpol.msc" in the attached image.

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore .

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    1. Please go to the Microsoft Recovery Console and restore a clean MBR.

    On windows XP:

    Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Select the Windows installation that is compromised and provide the administrator password
    Issue 'fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    Insert the Windows CD into the CD-ROM drive and restart the computer.
    Click on "Repair Your Computer"
    When the System Recovery Options dialog comes up, choose the Command Prompt.
    Issue 'bootrec /fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.

    Variants

    Variants

      N/A

    All Information

    Overview -

    Spy-agent.bf (the ~60KB dropper) creates a user account with administrative privileges (random name and random password). The new user account can be viewed using Computer management console. It also removes debug privileges from the existing admin account. Many rootkit analysis tools won't run because of that. It then downloads DLL files and registers them as BHO We detect these DLLs as Qdial-45.dldr. It also try to hide these files in ADS. If for some reason it fails it will simply copy the downloaded DLL to %sysdir%. Main purpose of this trojan is to download adwares like LinkOptimizer and help in dialing high cost numbers using trojan Dialer. This has also been blogged here.

    Aliases

    • Trojan.LinkOptimizer - Symantec

    Characteristics

    Characteristics -

    Files Added

    • %WINDIR%\temp\[random].exe - Detected as Qdial-45
    • c:\program files\common files\system\[random].exe - EFS encrypted file.

    Registry

    Random service registry key is created

    • hkey_local_machine\system\currentcontrolset\services\[random]
      Following random values are also added. Note that the description and object name also varies with each variant.
      • imagepath="C:\Program Files\Common Files\System\[random].exe"
      • description="Maintains links between NTFS files within a
        computer or across computers in a network domain."
      • hkey_local_machine\system\currentcontrolset\services\sysyny
        \objectname=".\tLLgOOA"

    The trojan creates a user account (random name and password) with administrative privileges.

    The service runs the encrypted binary as the newly created user with a random password and possibly some parameters.  The service remains stopped until it is started by the trojan in regular intervals. It cannot be manually started. The encrypted file is a downloader that may download newer packed variants of the trojan to the system.

    The trojan contacts following sites to download its updated copies and updates of Qdial-45.

  • shiptrop.com/pic.gif[blocked]
  • 195.225.176.85/pic.gif[blocked]
  • 195.225.177.22/pic.gif[blocked]

    It also sets various security policies so that the random user account cannot be accessed locally and can only be run as a service. In the following image the random account name "HcX" is added to various security settings.


     

    • Symptoms

    Symptoms -

    Unusual modem activity, presense of aformentioned files and registry keys and presence of random user with administrative priviliges as shown by "secpol.msc" in the attached image.

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal -

    Removal -

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore .

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    1. Please go to the Microsoft Recovery Console and restore a clean MBR.

    On windows XP:

    Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Select the Windows installation that is compromised and provide the administrator password
    Issue 'fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    Insert the Windows CD into the CD-ROM drive and restart the computer.
    Click on "Repair Your Computer"
    When the System Recovery Options dialog comes up, choose the Command Prompt.
    Issue 'bootrec /fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.

    Variants

    Variants -

      N/A