McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Spy-Agent.h

This page shows details and results of our analysis on the malware Spy-Agent.h

Threat Detail

Malware Type: Trojan

Malware Sub-type:

Discovery Date: 2005-06-17

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4516 (2005-06-17)

Updated DAT

4778 (2006-06-06)

 Minimum Engine

5.1.00

File Length

varies. Known sizes are 26642 bytes, 15360 bytes

Description Added

2005-06-17

Description Modified

2005-06-24

Malware Proliferation

Characteristics

This trojan creates a backdoor on the local system and attempts to downloads a file "psguardinstall.exe".  At the time of writing this description the file was not successfully downloaded.

It gathers local system settings (processor, operating system, etc), and may capture information about web pages viewed on the local system.  It may also modify the windows shell extension for html files (although this was not observed in testing).

Additionally it changes the windows background to blue and modifies the autorun settings.. 

When the trojan is first executed (loader.exe) it will make a number of changes to the system.

System Changes

Files Added

  • %WinDir%\uninstiu.exe (4 KB)
  • %SystemDir%\wp.bmp (97 KB)
  • %SystemDir%\oleadm32.dll (580 KB)
  • %SystemDir%\oleadm.dll (15 KB)
  • %Temp%\psguardinstall.exe (92 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    "AllowProtectedRenames"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Internet Update
    "UninstallString"="uninstIU.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Internet Update
    "DisplayName"="Internet Update"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Internet Update
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    System\"NoDispAppearancePage"="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    System\ "NoDispBackgroundPage"="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\ "NoActiveDesktopChanges"="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\ "NoDriveTypeAutoRun"="145"
  • HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
    "No"="1"
  • HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
    "WpS"="2"
  • HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
    "Wp"=""
  • HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
    "Clr"="128"
  • HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}

The following registry keys are modified:

  • HKEY_CURRENT_USER\Control Panel\Colors
    "Background"="1 2 172"
  • HKEY_CURRENT_USER\Control Panel\Desktop
    "Wallpaper"="C:\WINDOWS\System32\wp.bmp"
  • HKEY_CURRENT_USER\Control Panel\Desktop
    "WallpaperStyle"="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components
    "GeneralFlags"="0"

The application listens on the following network connection(s):

  • loader.exe 1121 (TCP)
  • loader.exe 1120 (TCP)
  • loader.exe 5652 (UDP)

The applications creates the following network connection(s):

  • loader.exe 80 (TCP)

Symptoms

Presence of the files and registry entries referenced above. 

The network connections identified above may also be present on the system.

Additionally, unexpected changes to the autorun functionality, active desktop configuration or background of the windows desktop may also be indications that a Spy-Agent.h infection is present on the system.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English