Content
Spy-Agent.ch
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 07/02/2007
- Length
- 77,018 bytes
- Minimum DAT
- 5065 (07/02/2007)
- Updated DAT
- 5065 (07/02/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/02/2007
- Description Modified
- 07/03/2007 9:46 AM (PT)
Tab Navigation
Characteristics
When Spy-Agent.ch is executed the user is presented with a dialogue box that displays the following application error message:
- 'Microsoft Word cannot start!'
It copies itself as ALMQE.EXE to the %Sysdir% folder
It also drops a DLL component ALMQE.DLL into the same folder. This DLL component is injected in to the same memory space as Explorer.exe.
It is the DLL component whcih contains the code to capture the information from the infected system.
The following information may be captured :
- MSN Passwords
- AIM Passwords
- RAS Passwords
- Yahoo Passwords
- Url History
A randomly named file is created in the %Sysdir% folder. This file contains the captured information which is also encrypted.
The following registry key is created and has reference to the random file:
- HKEY_CURRENT_USER\Software\Adobe\IALC
"IAM" = %SysDir%\[Random_File]
Symptoms
Presence of the following files in the %SysDir% folder :
- ALMQE.DLL
- ALMQE.EXE
Presence of the following registry key :
- HKEY_CURRENT_USER\Software\Adobe\IALC
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
Spy-Agent.ch is a trojan which attempts to steal confidential information from the victims machine.
Characteristics
Characteristics -
When Spy-Agent.ch is executed the user is presented with a dialogue box that displays the following application error message:
- 'Microsoft Word cannot start!'
It copies itself as ALMQE.EXE to the %Sysdir% folder
It also drops a DLL component ALMQE.DLL into the same folder. This DLL component is injected in to the same memory space as Explorer.exe.
It is the DLL component whcih contains the code to capture the information from the infected system.
The following information may be captured :
- MSN Passwords
- AIM Passwords
- RAS Passwords
- Yahoo Passwords
- Url History
A randomly named file is created in the %Sysdir% folder. This file contains the captured information which is also encrypted.
The following registry key is created and has reference to the random file:
- HKEY_CURRENT_USER\Software\Adobe\IALC
"IAM" = %SysDir%\[Random_File]
Symptoms
Symptoms -
Presence of the following files in the %SysDir% folder :
- ALMQE.DLL
- ALMQE.EXE
Presence of the following registry key :
- HKEY_CURRENT_USER\Software\Adobe\IALC
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
