McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Spy-Agent.da

This page shows details and results of our analysis on the malware Spy-Agent.da

Threat Detail

Malware Type: Trojan

Malware Sub-type: Win32

Discovery Date: 2008-10-23

Next Steps:

Overview

The Spy-Agent.da detection includes payload files that are dropped as a result of Microsoft vulnerability MS08-067 in server service which allows for remote code execution.


Minimum DAT

5414 (2008-10-23)

Updated DAT

5433 (2008-11-13)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2008-10-23

Description Modified

2008-10-24

Malware Proliferation

Characteristics

-- Update October 23, 2008 --
The risk-assessment for Spy-Agent.da has been raised to Low-Profiled due to its association with MS08-067.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

A number of files by the name of nx.exe have been observed (where 'x' denotes a integer number) to be a payload as a result of the MS08-067 vulnerability.

On execution of this file, a service by the name of  "System Maintenance Service" is created with a service name sysmgr

At the time of testing the following files have been added to the system relating to this service:

  • %SystemDir%\wbem\sysmgr.dll

At the time of testing the following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
    • Servicedll = %SystemDir%\wbem\sysmgr.dll
    • Servicemain = servicemainfunc

    A download is observed as a result of this service from

    • 59.106.145.58

    The following file is downloaded as a result of this service:

  • %SystemDir%\inetproc02x.cab

    The cab file contains the following files:

    • sysmgr.dll
    • install.bat
    • syicon.dll
    • winbase.dll
    • winbaseInst.exe

    The files are extracted and the install.bat is executed. This batch file copies the dll files and exe file within the cab, to the following folder:

    • %SystemDir%\wbem

  • winbaseInst.exe is executed which creates a service by the name "Windows NT Baseline" with a service name BaseSvc

    At the time of testing the following files have been added to the system relating to this service:

    • %SystemDir%\wbem\winbase.dll

    At the time of testing the following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BaseSvc\Parameters
    • Servicedll = %SystemDir%\wbem\winbase.dll
    • Servicemain = servicemainfunc

    The applications created the following network connection(s):

  • http
    • 59.106.145.58
    • doradora.atzend.com
    • perlbody.t35.com
    • summertime.1gokurimu.com

    Symptoms

    Presence of any of the system services

    Method of Infection

    Microsoft vulnerability MS08-067

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Variants

    United States - English