Content
Spy-Agent.bv
- Type
- Trojan
- SubType
- Discovery Date
- 02/26/2007
- Length
- Varies
- Minimum DAT
- 4971 (02/26/2007)
- Updated DAT
- 5394 (09/29/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 02/26/2007
- Description Modified
- 03/27/2007 11:54 PM (PT)
Tab Navigation
Characteristics
There are several variants of this trojan. The characteristics of this trojan with regard to file names, registry keys, url, etc will differ. Hence, this is a general description.
Newer variants require the latest DAT for detection and cleaning.
Upon execution, it gathers email addresses from the following files in the victim machine.
*.txt
*.adb
*.asp
*.dbx
*.eml
*.fpt
*.htm
*.inb
*.mbx
*.php
*.pmr
*.sht
*.tbb
*.wab
Then it sores the information to the following file.
- C:\as.txt
The trojan sends the information to the following remote site.
- 216.195.58.[removed]
It also access the following url.
- http://208.66.195.[removed]:3154/post.cgi
Symptoms
Existence of mentioned files and registry keys.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
The trojan is designed to gathers email addresses from the victim machine and send the information to the remote site.
Aliases
- Trojan.Pandex (Symantec)
- Trojan.Win32.Agent.ady (Kaspersky)
Characteristics
Characteristics -
There are several variants of this trojan. The characteristics of this trojan with regard to file names, registry keys, url, etc will differ. Hence, this is a general description.
Newer variants require the latest DAT for detection and cleaning.
Upon execution, it gathers email addresses from the following files in the victim machine.
*.txt
*.adb
*.asp
*.dbx
*.eml
*.fpt
*.htm
*.inb
*.mbx
*.php
*.pmr
*.sht
*.tbb
*.wab
Then it sores the information to the following file.
- C:\as.txt
The trojan sends the information to the following remote site.
- 216.195.58.[removed]
It also access the following url.
- http://208.66.195.[removed]:3154/post.cgi
Symptoms
Symptoms -
Existence of mentioned files and registry keys.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
