Virus Profile: Spy-Agent.bw

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 4985
Removal Instructions
   
 
 
   

Description

A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Presence of file(s) and registry key(s) as previously mentioned.
  • Unexpected network connections to the mentioned site(s).

 

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Aliases

Infostealer.Monstres (Symantec)
   

Virus Characteristics

-- Update March 26, 2009 ---

New variants have been observed in attachments of spoofed emails. These emails appear to come from DHL and are regarding a missed shipment. The subject line may contain a falsified tracking ID.

-- Update December 2, 2008 --

A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).

Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.

Detection for these variants is included in todays 5452 DAT package.

An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx

 

 -- Update August 19, 2008 --

Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.

Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.

Detection for this new variant will be included in todays 5364 DATs.

 -- Update August 18, 2008 --

A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.

Upon execution, a new variant creates the following file:

  • C:\​WINDOWS\​system32\​ntos.exe (Spy-Agent,bw)

It changes the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe

-- Update August 04, 2008 --

A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

Upon execution, a new variant creates the following hidden files and hidden folder:

  • %Windir%\System32\wsnpoem\ (folder)
  • %Windir%\System32\wsnpoem\audio.dll (data file)
  • %Windir%\System32\wsnpoem\video.dll (data file)
  • %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

The trojan inject its malcode to the following process:

  • winlogon.exe

It can connect to the following website to communicate stolen data, log actions and receive instructions:

  • ahleinaks.ru

-- Update July 21, 2008 --

A new variant of Spy-Agent.bw  has been observed which comes as an attachment to a fake email claiming to be from UPS.

It can connect to the following website to communicate stolen data, log actions and receive instructions:

  • blatundalqik.ru

-- Update May 13, 2008 --

Upon execution, a new variant creates the following hidden files and hidden folder:

  • %Windir%\System32\wsnpoem\ (folder)
  • %Windir%\System32\wsnpoem\audio.dll (data file)
  • %Windir%\System32\wsnpoem\video.dll (data file)
  • %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

The trojan inject its malcode to the following process:

  • winlogon.exe

It can connect to the following site to communicate stolen data, log actions and receive instructions:

  • razvlekalovo.net

-- Update August 20, 2007 --


The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--

A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

Upon execution, it creates the following files and folder:

  • %Windir%\System32\wsnpoem\ (folder)
  • %Windir%\System32\wsnpoem\audio.dll (data file)
  • %Windir%\System32\wsnpoem\video.dll (data file)
  • %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = <PATH Spy-Agent.bw to>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = <COMPUTER Name_%Random%>

The trojan inject its malcode to the following process:

  • svchost.exe
  • winlogon.exe

It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:

  • recruiter.monster.com
  • hiring.monster.com

Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

  • http://195.189.{blocked}/mnstr/grabv2.php?getid=1
  • http://195.189.{blocked}/spmv3.php?sendlog=
  • http://195.189.{blocked}/mnstr/grabv2.php
  • http://195.189.{blocked}/pmv3.php?sentmailz=

Sends spam e-mails via the following SMTP server:

  • smtp.bizmail.yahoo.com

 

   

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations