Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3528
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Spy-Agent.bv.dldr  (Read 4478 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
Spy-Agent.bv.dldr
« on: 17. May 2007., 16:09:59 »
Type
Trojan
SubType
Downloader
Discovery Date
03/27/2007
Length
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
4996 (02/02/2007)
Minimum Engine
4.4.00
Description Added
03/27/2007
Description Modified
05/11/2007

Overview -

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Aliases
Pushu.A!tr (Fortinet)
Troj/Pushu-A (Sophos)
Trojan-Dropper.Win32.Small.avu (Kaspersky)
Trojan.Pandex (Symantec)
Characteristics -


-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Upon execution, the trojan drops the following files:
%Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
%Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
%Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.
66.246.252.[removed]
Symptoms -

Existence of mentioned files and registry keys.
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

Spy-Agent.bv.dldr
« on: 17. May 2007., 16:09:59 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising