Content
Spy-Agent.da.dll
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 10/23/2008
- Length
- Varies
- Minimum DAT
- 5414 (10/23/2008)
- Updated DAT
- 5415 (10/24/2008)
- Minimum Engine
- 5.2.00
- Description Added
- 10/23/2008
- Description Modified
- 10/24/2008 11:26 AM (PT)
Tab Navigation
Characteristics
This detection covers the DLL component of Spy-Agent.da. For general characteristics of Spy-Agent.da, please refer to:
In the DLL components of Spy-Agent.ba, basesvc.dll contains exploit code targeting a 0-day vulnerability in Microsoft Server Service (MS08-067).
Registered as a service, it floods the local network with ARP requests to seek out machines that are running. It then makes RPC connections to operating machines and transmit malicious crafted RPC packets to infect vulnerable Windows hosts. When succesful, it executes an encrypted shellcode to download Spy-Agent.da onto the targeted machines from a hardcoded site address:
- hxxp://59.106.{blocked}.{blocked}/n{blocked}.exe
Symptoms
- Unexpected network connections to the mentioned site(s).
- Unexpected RPC connections in the local network.
Method of Infection
Spy-Agent.da propagates via exploiting a 0-day vulnerability in Microsoft Server Service (MS08-067).
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This detection covers the DLL component of Spy-Agent.da. For general characteristics of Spy-Agent.da, please refer to:
http://vil.nai.com/vil/content/v_152898.htm
Characteristics
Characteristics -
This detection covers the DLL component of Spy-Agent.da. For general characteristics of Spy-Agent.da, please refer to:
In the DLL components of Spy-Agent.ba, basesvc.dll contains exploit code targeting a 0-day vulnerability in Microsoft Server Service (MS08-067).
Registered as a service, it floods the local network with ARP requests to seek out machines that are running. It then makes RPC connections to operating machines and transmit malicious crafted RPC packets to infect vulnerable Windows hosts. When succesful, it executes an encrypted shellcode to download Spy-Agent.da onto the targeted machines from a hardcoded site address:
- hxxp://59.106.{blocked}.{blocked}/n{blocked}.exe
Symptoms
Symptoms -
- Unexpected network connections to the mentioned site(s).
- Unexpected RPC connections in the local network.
Method of Infection
Method of Infection -
Spy-Agent.da propagates via exploiting a 0-day vulnerability in Microsoft Server Service (MS08-067).
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
