Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43423
  • Total Topics: 16520
  • Online today: 2635
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2618
Total: 2619









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Amker
« on: 17. May 2007., 16:09:59 »

Type
Trojan
SubType
Downloader
Discovery Date
03/27/2007
Length
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
4996 (02/02/2007)
Minimum Engine
4.4.00
Description Added
03/27/2007
Description Modified
05/11/2007

Overview -

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Aliases
Pushu.A!tr (Fortinet)
Troj/Pushu-A (Sophos)
Trojan-Dropper.Win32.Small.avu (Kaspersky)
Trojan.Pandex (Symantec)
Characteristics -


-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--

The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.

Upon execution, the trojan drops the following files:
%Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
%Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
%Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.
66.246.252.[removed]
Symptoms -

Existence of mentioned files and registry keys.
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023