Content
Spy-Agent.da
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 10/23/2008
- Length
- Varies
- Minimum DAT
- 5414 (10/23/2008)
- Updated DAT
- 5433 (11/13/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 10/23/2008
- Description Modified
- 10/24/2008 4:41 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update October 23, 2008 --
The risk-assessment for Spy-Agent.da has been raised to Low-Profiled due to its association with MS08-067.
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
A number of files by the name of nx.exe have been observed (where 'x' denotes a integer number) to be a payload as a result of the MS08-067 vulnerability.
On execution of this file, a service by the name of "System Maintenance Service" is created with a service name sysmgr
At the time of testing the following files have been added to the system relating to this service:
- %SystemDir%\wbem\sysmgr.dll
At the time of testing the following registry elements have been created:
- Servicedll = %SystemDir%\wbem\sysmgr.dll
- Servicemain = servicemainfunc
A download is observed as a result of this service from
- 59.106.145.58
The following file is downloaded as a result of this service:
The cab file contains the following files:
- sysmgr.dll
- install.bat
- syicon.dll
- winbase.dll
- winbaseInst.exe
The files are extracted and the install.bat is executed. This batch file copies the dll files and exe file within the cab, to the following folder:
- %SystemDir%\wbem
winbaseInst.exe is executed which creates a service by the name "Windows NT Baseline" with a service name BaseSvc
At the time of testing the following files have been added to the system relating to this service:
-
%SystemDir%\wbem\winbase.dll
At the time of testing the following registry elements have been created:
- Servicedll = %SystemDir%\wbem\winbase.dll
- Servicemain = servicemainfunc
The applications created the following network connection(s):
- 59.106.145.58
- doradora.atzend.com
- perlbody.t35.com
- summertime.1gokurimu.com
Symptoms
Presence of any of the system services
Method of Infection
Microsoft vulnerability MS08-067
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
The Spy-Agent.da detection includes payload files that are dropped as a result of Microsoft vulnerability MS08-067 in server service which allows for remote code execution.
Characteristics
Characteristics -
-- Update October 23, 2008 --
The risk-assessment for Spy-Agent.da has been raised to Low-Profiled due to its association with MS08-067.
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
A number of files by the name of nx.exe have been observed (where 'x' denotes a integer number) to be a payload as a result of the MS08-067 vulnerability.
On execution of this file, a service by the name of "System Maintenance Service" is created with a service name sysmgr
At the time of testing the following files have been added to the system relating to this service:
- %SystemDir%\wbem\sysmgr.dll
At the time of testing the following registry elements have been created:
- Servicedll = %SystemDir%\wbem\sysmgr.dll
- Servicemain = servicemainfunc
A download is observed as a result of this service from
- 59.106.145.58
The following file is downloaded as a result of this service:
The cab file contains the following files:
- sysmgr.dll
- install.bat
- syicon.dll
- winbase.dll
- winbaseInst.exe
The files are extracted and the install.bat is executed. This batch file copies the dll files and exe file within the cab, to the following folder:
- %SystemDir%\wbem
winbaseInst.exe is executed which creates a service by the name "Windows NT Baseline" with a service name BaseSvc
At the time of testing the following files have been added to the system relating to this service:
-
%SystemDir%\wbem\winbase.dll
At the time of testing the following registry elements have been created:
- Servicedll = %SystemDir%\wbem\winbase.dll
- Servicemain = servicemainfunc
The applications created the following network connection(s):
- 59.106.145.58
- doradora.atzend.com
- perlbody.t35.com
- summertime.1gokurimu.com
Symptoms
Symptoms -
Presence of any of the system services
Method of Infection
Method of Infection -
Microsoft vulnerability MS08-067
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
