Content

Spy-Agent.bf

Type
Trojan
SubType
Win32
Discovery Date
08/10/2006
Length
Minimum DAT
4826 (08/10/2006)
Updated DAT
5489 (01/08/2009)
Minimum Engine
5.1.00
Description Added
08/10/2006
Description Modified
09/13/2006 6:04 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Files Added

  • %WINDIR%\temp\[random].exe - Detected as Qdial-45
  • c:\program files\common files\system\[random].exe - EFS encrypted file.

Registry

Random service registry key is created

  • hkey_local_machine\system\currentcontrolset\services\[random]
    Following random values are also added. Note that the description and object name also varies with each variant.
    • imagepath="C:\Program Files\Common Files\System\[random].exe"
    • description="Maintains links between NTFS files within a
      computer or across computers in a network domain."
    • hkey_local_machine\system\currentcontrolset\services\sysyny
      \objectname=".\tLLgOOA"

The trojan creates a user account (random name and password) with administrative privileges.

The service runs the encrypted binary as the newly created user with a random password and possibly some parameters.  The service remains stopped until it is started by the trojan in regular intervals. It cannot be manually started. The encrypted file is a downloader that may download newer packed variants of the trojan to the system.

The trojan contacts following sites to download its updated copies and updates of Qdial-45.

  • shiptrop.com/pic.gif[blocked]
  • 195.225.176.85/pic.gif[blocked]
  • 195.225.177.22/pic.gif[blocked]

    It also sets various security policies so that the random user account cannot be accessed locally and can only be run as a service. In the following image the random account name "HcX" is added to various security settings.


     

    • Symptoms

    Unusual modem activity, presense of aformentioned files and registry keys and presence of random user with administrative priviliges as shown by "secpol.msc" in the attached image.

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    Spy-agent.bf (the ~60KB dropper) creates a user account with administrative privileges (random name and random password). The new user account can be viewed using Computer management console. It also removes debug privileges from the existing admin account. Many rootkit analysis tools won't run because of that. It then downloads DLL files and registers them as BHO We detect these DLLs as Qdial-45.dldr. It also try to hide these files in ADS. If for some reason it fails it will simply copy the downloaded DLL to %sysdir%. Main purpose of this trojan is to download adwares like LinkOptimizer and help in dialing high cost numbers using trojan Dialer. This has also been blogged here.

    Aliases

    • Trojan.LinkOptimizer - Symantec

    Characteristics

    Characteristics -

    Files Added

    • %WINDIR%\temp\[random].exe - Detected as Qdial-45
    • c:\program files\common files\system\[random].exe - EFS encrypted file.

    Registry

    Random service registry key is created

    • hkey_local_machine\system\currentcontrolset\services\[random]
      Following random values are also added. Note that the description and object name also varies with each variant.
      • imagepath="C:\Program Files\Common Files\System\[random].exe"
      • description="Maintains links between NTFS files within a
        computer or across computers in a network domain."
      • hkey_local_machine\system\currentcontrolset\services\sysyny
        \objectname=".\tLLgOOA"

    The trojan creates a user account (random name and password) with administrative privileges.

    The service runs the encrypted binary as the newly created user with a random password and possibly some parameters.  The service remains stopped until it is started by the trojan in regular intervals. It cannot be manually started. The encrypted file is a downloader that may download newer packed variants of the trojan to the system.

    The trojan contacts following sites to download its updated copies and updates of Qdial-45.

  • shiptrop.com/pic.gif[blocked]
  • 195.225.176.85/pic.gif[blocked]
  • 195.225.177.22/pic.gif[blocked]

    It also sets various security policies so that the random user account cannot be accessed locally and can only be run as a service. In the following image the random account name "HcX" is added to various security settings.


     

    • Symptoms

    Symptoms -

    Unusual modem activity, presense of aformentioned files and registry keys and presence of random user with administrative priviliges as shown by "secpol.msc" in the attached image.

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A