Spy-Agent.du

A recent variant was found to be stealing data from the user's cookies and send the date to the remote server. They have been observed in attachments of spoofed emails.

Upon execution, it creates the following files and folder:

• %Windir%\system32\lowsec (folder)
• %Windir%\system32\lowsec\local.ds (data file)
• %Windir%\system32\lowsec\user.ds (data file)
• C:\Documents and Settings\NetworkService\Cookies\index.dat (date file)
• %Windir%\system32\sdra64.exe (Random size - detected as Spy-Agent.du)

(Where %Windir% is the Windows folder; C:\Windows)

Upon execution, the following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTP\Parameters\Synchronize
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\Synchronize
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

The following registry values are added:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}\{23343233-2C66-3B33-3432-343233343233}: F6 0C F4 0E
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{3039636B-5F3D-6C64-6675-696870667265}: F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{33373039-3132-3864-6B30-303233343434}: 47 09 F2 0D

The following registry values are modified:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,%Windir%\system32\sdra64.exe,"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "C:\Documents and Settings\LocalService\Cookies"

The trojan inject its malcode to the following process:

• winlogon.exe

The trojan attempts to establish connection with the following remote hosts:

• 91.212.65.5   Port: 80
• 91.212.65.74   Port: 80

This trojan can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

• http://mn-room.ru/{blocked}/dir.cfg
• http://91.212.65.74/{blocked}/dir.php

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.