Topic: Spy-Agent.cf

[Amker]

This detection is for a trojan which attempts to steal information from a user's system.  It gathers keyboard strokes, window and clipboard contents and other system-specific information.

There have been multiple spam runs recently of this trojan, with a filename of Proforma_Invoice.doc (689,664 bytes).  The MD5s of the files from separate spam runs differ.  Previous variants may be detected with the 5055 DATs as Generic Dropper.p and dropped files as Generic Spy.e.
Characteristics -


This trojan has recently been spammed with emails like the following:

Subject: Proforma Invoice for Chicago Display Marketing Corporation

Message body:

To: Chicago Display Marketing Corporation (Attn: names vary)

The Proforma Invoice is attached to this message. You can find the file in
the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

Attachment: Proforma_Invoice.doc

Installation

The spam emails contain a DOC file (Proforma_Invoice.doc) which contains an executable which must then be double-clicked to run.  The DOC file has the following text:
DOUBLE CLICK THE ICON ABOVE TO VIEW THE DOCUMENT DETAILS

Upon execution the trojan drops Microsoft.DLL and Microsoft.EXE in various locations.  This location varied between variants.

For example:
C:\Microsoft.dll (425,986 bytes)
C:\Microsoft.exe (119,810 bytes)

Registry entries were created to run itself at windows startup, such as the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Win32KernelStart = Data: "C:\microsoft.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run Win32KernelStart = "C:\microsoft.exe"

It also creates a Browser Helper Object to start the DLL each time Internet Explorer is started.
 
Symptoms -

Presence of the files and registry entries listed previously
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -


All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee

[Samker]

- Comon Removal method:

1. Check your AntiVirus (which one is, is it updated and did you make full scan of your PC - after update).

2. If you can't clean threats with this way, reinstal your AV and download & instal one off this AV: McAfee or Kaspersky (here at SCForum.info we provide you link to latest downloads, just check right section) and go again at step 1, don't forget to update your Windows OS (you can even use Autopatcher just download them from right section at SCForum.info).

3. Also don't forget to turn off System Restore at your PC.


***If you, after this all steps, still have problem with this Malware go and post Your problem in Our HELP section, direct link is in my Signature (right belowe this post).***