Content

Spy-Agent.bv.dldr

Type
Trojan
SubType
Downloader
Discovery Date
03/27/2007
Length
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
5538 (02/27/2009)
Minimum Engine
5.1.00
Description Added
03/27/2007
Description Modified
08/02/2007 10:29 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update August 03, 2007  --

There was a recent mass-spamming of a new variant of this trojan masquerading as nude images of celebrity movie stars.  A sample of the spammed email is as follows:

The spammed threat is detected with the 5089 dats onwards.

-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Upon execution, the trojan drops the following files:

  • %Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
  • %Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
  • %Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
    "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
    "ErrorControl" = 1
    "Start" = 3
    "Type" = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
    "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
    "ErrorControl" = 1
    "Start" = 3
    "Type" = 1

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.

  • 66.246.252.[removed]

Symptoms

Existence of mentioned files and registry keys.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Aliases

  • Pushu.A!tr (Fortinet)
  • Troj/Pushu-A (Sophos)
  • Trojan-Dropper.Win32.Small.avu (Kaspersky)
  • Trojan.Pandex (Symantec)

Characteristics

Characteristics -

-- Update August 03, 2007  --

There was a recent mass-spamming of a new variant of this trojan masquerading as nude images of celebrity movie stars.  A sample of the spammed email is as follows:

The spammed threat is detected with the 5089 dats onwards.

-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Upon execution, the trojan drops the following files:

  • %Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
  • %Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
  • %Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
    "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
    "ErrorControl" = 1
    "Start" = 3
    "Type" = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
    "ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
    "ErrorControl" = 1
    "Start" = 3
    "Type" = 1

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.

  • 66.246.252.[removed]

Symptoms

Symptoms -

Existence of mentioned files and registry keys.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A