Content

Spy-Agent.bg

Type
Trojan
SubType
Win32
Discovery Date
08/14/2006
Length
Varies
Minimum DAT
4829 (08/14/2006)
Updated DAT
5455 (12/05/2008)
Minimum Engine
5.1.00
Description Added
08/14/2006
Description Modified
09/16/2008 3:42 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--- update on September 16, 2008 ----

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.freelanceuk.com/news/2843.shtml

 

Upon execution, the trojan variant drops the following files:

  • %WinDir% \system32\cabpck.dll(hidden file,identfied as Generic Rootkit.d trojan)
  • %WinDir% \system32\krnlcab.sys(hidden file, identfied as Generic Rootkit.d trojan)
  • %WinDir% \system32\k86.bin

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Asynchronous: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\DllName: "%WinDir%\System32\cabpck.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Impersonate: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Startup: "cabpck"

Whenever the compromised system restarts, the .dll file is injected into all the processes.

It uses rootkit techinques and hooks the following SSDT functions:

  • ZwCreateProcess
  • ZwCreateProcessEx
  • ZwOpenProcess
  • ZwOpenKey
  • ZwQueryDirectoryFile

It attempts to connect with following servers:

  • social-bos.biz

to download further malwares or accept other remote commands.

The trojan variant may steal password or other credentials from the compromised machine.

-----------------------------------------

Update: 05/13/2008


A new variant of Spy-Agent.bg trojan has a file name as iexplorer.exe


Upon execution, it deletes itself from its run location and injects threads in various processes including explorer.exe


It attempts to post user information found locally on the machine and user browsing information to:


  • 58.65.236.1
  • pull2.assisback.com

Opens a backdoor on random ports and attempts to receive commands.


----------------------------------------------------------------------------------------------------------------------------------------------------


Upon execution, the trojan copies itself to the following path.


  • %WINDIR%\scvc.exe

The following registry keys are added.


  • hkey_current_user\software\microsoft\windows\currentversion\run
    ttool="%WINDIR%\scvc.exe"
  • hkey_current_user\software\microsoft\inetdata\k1=(Random digits)
  • hkey_current_user\software\microsoft\inetdata\k2=(Random digits)

The trojan connects to the following URLs.


81.[removed].147.107/cgi-bin/options.cgi
81.[removed].147.107/cgi-bin/forms.cgi
81.[removed].147.107/cgi-bin/cert.cgi


The trojan attempts to send the following information.


  • certificates in the local "MY" certificate store
  • username, OS versions

Symptoms

  • Existence of mentioned files/registry keys
  • Http connections to the mentioned remote host

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The trojan is designed to capture information from the victim machine and send them to the remote site.

Aliases

  • Infostealer (Symantec)
  • Trj/Spyforms.A (Panda)
  • TSPY_SMALL.CLT (TrendMicro)

Characteristics

Characteristics -

--- update on September 16, 2008 ----

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.freelanceuk.com/news/2843.shtml

 

Upon execution, the trojan variant drops the following files:

  • %WinDir% \system32\cabpck.dll(hidden file,identfied as Generic Rootkit.d trojan)
  • %WinDir% \system32\krnlcab.sys(hidden file, identfied as Generic Rootkit.d trojan)
  • %WinDir% \system32\k86.bin

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Asynchronous: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\DllName: "%WinDir%\System32\cabpck.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Impersonate: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck\Startup: "cabpck"

Whenever the compromised system restarts, the .dll file is injected into all the processes.

It uses rootkit techinques and hooks the following SSDT functions:

  • ZwCreateProcess
  • ZwCreateProcessEx
  • ZwOpenProcess
  • ZwOpenKey
  • ZwQueryDirectoryFile

It attempts to connect with following servers:

  • social-bos.biz

to download further malwares or accept other remote commands.

The trojan variant may steal password or other credentials from the compromised machine.

-----------------------------------------

Update: 05/13/2008


A new variant of Spy-Agent.bg trojan has a file name as iexplorer.exe


Upon execution, it deletes itself from its run location and injects threads in various processes including explorer.exe


It attempts to post user information found locally on the machine and user browsing information to:


  • 58.65.236.1
  • pull2.assisback.com

Opens a backdoor on random ports and attempts to receive commands.


----------------------------------------------------------------------------------------------------------------------------------------------------


Upon execution, the trojan copies itself to the following path.


  • %WINDIR%\scvc.exe

The following registry keys are added.


  • hkey_current_user\software\microsoft\windows\currentversion\run
    ttool="%WINDIR%\scvc.exe"
  • hkey_current_user\software\microsoft\inetdata\k1=(Random digits)
  • hkey_current_user\software\microsoft\inetdata\k2=(Random digits)

The trojan connects to the following URLs.


81.[removed].147.107/cgi-bin/options.cgi
81.[removed].147.107/cgi-bin/forms.cgi
81.[removed].147.107/cgi-bin/cert.cgi


The trojan attempts to send the following information.


  • certificates in the local "MY" certificate store
  • username, OS versions

Symptoms

Symptoms -

  • Existence of mentioned files/registry keys
  • Http connections to the mentioned remote host

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A