Content

Spy-Agent.ba.dldr

Type
Trojan
SubType
Downloader
Discovery Date
04/23/2007
Length
varies
Minimum DAT
5015 (04/23/2007)
Updated DAT
5377 (09/04/2008)
Minimum Engine
5.1.00
Description Added
04/23/2007
Description Modified
05/03/2007 2:35 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

---- Update 5/2/2007 ----

A new variant of Spy-Agent.ba.dldr was recently spread over the past few days via a spammed email containing a link leading to JS/Downloader.AUD, which then downloaded and executed this new variant. The properties of this new Spy-Agent.ba.dldr are as follows.

Filename:

  • update.exe (11,212 bytes, name may vary)

Download target:

  • ht tp://hgm.or.kr/[removed]/submenu_11.exe (detected as Spy-Agent.ba)

----

The Spy-Agent.ba.dldr trojan is spammed out as an attachment within emails (an example is shown below). This requires the user to execute said attachment in order to infect their system.

Once infected the file doesn't hook the system (i.e. in order to run again at startup) but simply downloads a copy of the Spy-Agent.ba trojan from a remote site and executes it.

In this case the remote site is as follows:

  • ht tp://souljah.com/[removed]/ie.exe

The email pretends to be an order confirmation for a full-feature version of Avira's Anti-Virus product and provides a "key" (the attachment) for such an upgrade to occur. The key in this case is the Spy-Agent.ba.dldr trojan using the following filename:

  • HBEDV.KEY.EXE


Spammed mail example:

  Von/From: "cleverbridge/Avira GmbH"

  Betreff/Subject: Referenznr.:595169: Ihre Bestellung von Avira GmbH Produkten

  Body:

Symptoms

Presence of unexpected files on an infected system.

In the case of Spy-Agent.ba.dldr this would include the presence of the following file:

 

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Spy-Agent.ba.dldr is a trojan that downloads copies of the Spy-Agent.ba trojan.

Characteristics

Characteristics -

---- Update 5/2/2007 ----

A new variant of Spy-Agent.ba.dldr was recently spread over the past few days via a spammed email containing a link leading to JS/Downloader.AUD, which then downloaded and executed this new variant. The properties of this new Spy-Agent.ba.dldr are as follows.

Filename:

  • update.exe (11,212 bytes, name may vary)

Download target:

  • ht tp://hgm.or.kr/[removed]/submenu_11.exe (detected as Spy-Agent.ba)

----

The Spy-Agent.ba.dldr trojan is spammed out as an attachment within emails (an example is shown below). This requires the user to execute said attachment in order to infect their system.

Once infected the file doesn't hook the system (i.e. in order to run again at startup) but simply downloads a copy of the Spy-Agent.ba trojan from a remote site and executes it.

In this case the remote site is as follows:

  • ht tp://souljah.com/[removed]/ie.exe

The email pretends to be an order confirmation for a full-feature version of Avira's Anti-Virus product and provides a "key" (the attachment) for such an upgrade to occur. The key in this case is the Spy-Agent.ba.dldr trojan using the following filename:

  • HBEDV.KEY.EXE


Spammed mail example:

  Von/From: "cleverbridge/Avira GmbH"

  Betreff/Subject: Referenznr.:595169: Ihre Bestellung von Avira GmbH Produkten

  Body:

Symptoms

Symptoms -

Presence of unexpected files on an infected system.

In the case of Spy-Agent.ba.dldr this would include the presence of the following file:

 

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A