Posted by: Amker
« on: 17. May 2007., 16:09:59 »Type
Trojan
SubType
Downloader
Discovery Date
03/27/2007
Length
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
4996 (02/02/2007)
Minimum Engine
4.4.00
Description Added
03/27/2007
Description Modified
05/11/2007
Overview -
The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Aliases
Pushu.A!tr (Fortinet)
Troj/Pushu-A (Sophos)
Trojan-Dropper.Win32.Small.avu (Kaspersky)
Trojan.Pandex (Symantec)
Characteristics -
-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--
The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Upon execution, the trojan drops the following files:
%Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
%Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
%Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)
(Where %Windir% is the Windows folder, e.g. C:\Windows)
It adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
"ImagePath" = \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
"ImagePath" = \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.
66.246.252.[removed]
Symptoms -
Existence of mentioned files and registry keys.
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Trojan
SubType
Downloader
Discovery Date
03/27/2007
Length
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
4996 (02/02/2007)
Minimum Engine
4.4.00
Description Added
03/27/2007
Description Modified
05/11/2007
Overview -
The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Aliases
Pushu.A!tr (Fortinet)
Troj/Pushu-A (Sophos)
Trojan-Dropper.Win32.Small.avu (Kaspersky)
Trojan.Pandex (Symantec)
Characteristics -
-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infozine.com/news/stories/op/storiesView/sid/21848/
--
The "Spy-Agent.bv.dldr" trojan is designed to download Spy-Agent.bv files from a remote site.
Upon execution, the trojan drops the following files:
%Windir%\System32\drivers\ip6fw.sys (Spy-Agent.bv.dldr)
%Windir%\System32\drivers\runtime.sys (Spy-Agent.bv.dldr)
%Windir%\System32\5_exception.nls (Spy-Agent.bv.dldr)
(Where %Windir% is the Windows folder, e.g. C:\Windows)
It adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Runtime
"ImagePath" = \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
"ImagePath" = \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.
66.246.252.[removed]
Symptoms -
Existence of mentioned files and registry keys.
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).