- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
SubType: Win32
DAT Required: 4985
Virus Characteristics
-- Update December 2, 2008 --
A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).
Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.
Detection for these variants is included in todays 5452 DAT package.
An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx
-- Update August 19, 2008 --
Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.
Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.
Detection for this new variant will be included in todays 5364 DATs.
-- Update August 18, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.
Upon execution, a new variant creates the following file:
* C:\WINDOWS\system32\ntos.exe (Spy-Agent,bw)
It changes the following registry key:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
-- Update August 04, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* ahleinaks.ru
-- Update July 21, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* blatundalqik.ru
-- Update May 13, 2008 --
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following site to communicate stolen data, log actions and receive instructions:
* razvlekalovo.net
-- Update August 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--
A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.
Upon execution, it creates the following files and folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx =
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* svchost.exe
* winlogon.exe
It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:
* recruiter.monster.com
* hiring.monster.com
Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:
* http://195.189.{blocked}/mnstr/grabv2.php?getid=1
* http://195.189.{blocked}/spmv3.php?sendlog=
* http://195.189.{blocked}/mnstr/grabv2.php
* http://195.189.{blocked}/pmv3.php?sentmailz=
Sends spam e-mails via the following SMTP server:
* smtp.bizmail.yahoo.com
Indications of Infection
* Presence of file(s) and registry key(s) as previously mentioned.
* Unexpected network connections to the mentioned site(s).
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal Instructions
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Aliases
Infostealer.Monstres (Symantec)
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141745