McAfee > Theat Center > Virus Detail Page

Overview

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

• MD5  -  E5FB70FE4D72526702BF54EE05F1E252
• SHA  - 330EFC7AA0270B139A5A8D51FECCF0D5FAA1FE42

Aliases

• Kaspersky - Trojan-Spy.Win32.Agent.bcun
• NOD32    - a variant of Win32/Spy.Agent.NUM
• Ikarus       - Trojan-Spy.Win32.Agent
• AVG        - PSW.Agent.AETC

Characteristics

BackDoor-DPD can act in various ways to steal your data, private information, or resources.

The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.

This Trojan usually injects itself with running process like Explorer.exe and tries to connect to the ftp.sup[Removed]ound.ns02.biz through a remote port 80.

When executed, the Trojan drops the following files:

• %Userprofile%\Desktop\ms0ert.temp
• %Userprofile%\Desktop\mstemp.temp
• %Temp%\mst10.tmp
• %Temp%\mst6.tmp
• %Temp%\mst7.tmp
• %Temp%\mst8.tmp
• %Temp%\mst9.tmp
• %Temp%\mstA.tmp
• %Temp%\mstB.tmp
• %Temp%\mstC.tmp
• %Temp%\mstD.tmp
• %Temp%\mstE.tmp
• %Temp%\mstF.tmp

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Enum

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Type: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Start: 0x00000003
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\ErrorControl: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\ImagePath: "\??\C:\Documents and Settings\Administrator\Desktop\msobj.sys"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\DisplayName: "msobj"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

This Trojan also tries to get the following information and sends to the attacker.

• 1. Windows Version Information!
• 2. CPU Type!
• 3. System Time!
• 4. Account Information!
• 5. Disk Information!
• 6. NET Information!
• 7. Protocol Information!
• 8. NETBIOS Information!
• 9. InstallApp Information!
• 10. IE Version Information!
• 11. IE BHO Information!

It also looks for below mentioned information of the compromised user and send that information to the attacker.

• Physical address
• Adapter Desc
• Secondary Wins Server
• Primary Wins Server
• DNS Servers
• Gateway
• IP Mask
• IP Address
• Network information

This Trojan also injects itself with running process and tries to connect to the following sites:

• ftp.al[Removed]ton.jetos.com

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is %Temp%\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

Symptoms

• Presence of above mentioned activities.
• Presence of above mentioned files and Registry entries.
• Presence of unexpected connection to the above mentioned sites.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

• MD5  -  E5FB70FE4D72526702BF54EE05F1E252
• SHA  - 330EFC7AA0270B139A5A8D51FECCF0D5FAA1FE42

Aliases

• Kaspersky - Trojan-Spy.Win32.Agent.bcun
• NOD32    - a variant of Win32/Spy.Agent.NUM
• Ikarus       - Trojan-Spy.Win32.Agent
• AVG        - PSW.Agent.AETC

Characteristics

Characteristics -

BackDoor-DPD can act in various ways to steal your data, private information, or resources.

The DLL is intended to spy the compromised user to steal password and also this malware binary monitors the compromised user’s browser activity.

This Trojan usually injects itself with running process like Explorer.exe and tries to connect to the ftp.sup[Removed]ound.ns02.biz through a remote port 80.

When executed, the Trojan drops the following files:

• %Userprofile%\Desktop\ms0ert.temp
• %Userprofile%\Desktop\mstemp.temp
• %Temp%\mst10.tmp
• %Temp%\mst6.tmp
• %Temp%\mst7.tmp
• %Temp%\mst8.tmp
• %Temp%\mst9.tmp
• %Temp%\mstA.tmp
• %Temp%\mstB.tmp
• %Temp%\mstC.tmp
• %Temp%\mstD.tmp
• %Temp%\mstE.tmp
• %Temp%\mstF.tmp

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Enum

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Type: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\Start: 0x00000003
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\ErrorControl: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\ImagePath: "\??\C:\Documents and Settings\Administrator\Desktop\msobj.sys"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msobj\DisplayName: "msobj"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

This Trojan also tries to get the following information and sends to the attacker.

• 1. Windows Version Information!
• 2. CPU Type!
• 3. System Time!
• 4. Account Information!
• 5. Disk Information!
• 6. NET Information!
• 7. Protocol Information!
• 8. NETBIOS Information!
• 9. InstallApp Information!
• 10. IE Version Information!
• 11. IE BHO Information!

It also looks for below mentioned information of the compromised user and send that information to the attacker.

• Physical address
• Adapter Desc
• Secondary Wins Server
• Primary Wins Server
• DNS Servers
• Gateway
• IP Mask
• IP Address
• Network information

This Trojan also injects itself with running process and tries to connect to the following sites:

• ftp.al[Removed]ton.jetos.com

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is %Temp%\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

Symptoms

Symptoms -

• Presence of above mentioned activities.
• Presence of above mentioned files and Registry entries.
• Presence of unexpected connection to the above mentioned sites.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A