W32/Agent!553158D8AD0​9

This page shows details and results of our analysis on the malware W32/Agent!553158D8AD09

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum Engine

5600.1067

File Length

411136

Description Added

2014-08-20

Description Modified

2014-08-20

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Agent
Length411136 bytes
MD5553158d8ad0972e8b15d6fbc3d64f636
SHA1e4a5ed59c01d2955cc335195d2500ad881f0278b


Other Common Detection Aliases

Company NamesDetection Names
ahnlabWin32/Anah
avastWin32:Malware-gen
aviraW32/Suspic.Q Windows
KasperskyVirus.Win32.Suspic.gen
BitDefenderGen:Win32.FileInfector.zm0@aGvGggli
Dr.WebWin32.Hana.2
F-ProtW32/Heuristic-119!Eldorado (suspicious)
EsetNewHeur_PE
normanSB/Obfuscated_FA
risingMalware.RDM.48!5.36
Trend MicroCryp_Xed-15

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
Enumerates many system files and directories.Low
Adds or modifies a COM object.Low
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Agent
McAfee SupportedW32/Agent



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

E4A5ED59C01D2955CC335195D2500AD881F0278B

The following files have been added to the system:

  • %WINDIR%\SYSTEM32\Hana8O.exe

The following files have been changed:

  • %WINDIR%\SYSTEM32\netstat.exe
  • %WINDIR%\ServicePackFiles\i386\packager.exe
  • %WINDIR%\ServicePackFiles\i386\setup.exe
  • %WINDIR%\ServicePackFiles\I386\logonui.exe
  • %WINDIR%\ServicePackFiles\i386\rstrui.exe
  • %WINDIR%\SYSTEM32\logonui.exe
  • %WINDIR%\SYSTEM32\narrator.exe
  • %WINDIR%\SYSTEM32\esentutl.exe
  • %WINDIR%\ServicePackFiles\i386\imapi.exe
  • %WINDIR%\SYSTEM32\arp.exe
  • %WINDIR%\SYSTEM32\dllcache\icwconn1.exe
  • %WINDIR%\SYSTEM32\ntsd.exe
  • %WINDIR%\SYSTEM32\OLD31.tmp
  • %WINDIR%\ServicePackFiles\i386\userinit.exe
  • %WINDIR%\ServicePackFiles\i386\wuauclt.exe
  • %WINDIR%\ServicePackFiles\i386\tlntsvr.exe
  • %WINDIR%\pchealth\helpctr\binaries\helpctr.exe
  • %WINDIR%\ServicePackFiles\I386\netdde.exe
  • %WINDIR%\SYSTEM32\dllcache\wordpad.exe
  • %WINDIR%\SYSTEM32\nwscript.exe
  • %WINDIR%\twunk_32.exe
  • %WINDIR%\ServicePackFiles\i386\spider.exe
  • %WINDIR%\pchealth\helpctr\binaries\helphost.exe
  • %WINDIR%\ServicePackFiles\i386\lang\imscinst.exe
  • %WINDIR%\ServicePackFiles\i386\mspaint.exe
  • %WINDIR%\SYSTEM32\OLD57.tmp
  • %WINDIR%\SYSTEM32\ping6.exe
  • %WINDIR%\SYSTEM32\tracert6.exe
  • %WINDIR%\ServicePackFiles\i386\eudcedit.exe
  • %WINDIR%\ServicePackFiles\i386\dpvsetup.exe
  • %WINDIR%\ServicePackFiles\i386\ie4uinit.exe
  • %WINDIR%\SYSTEM32\smlogsvc.exe
  • %WINDIR%\SYSTEM32\dllcache\IEXPLORE.EXE
  • %WINDIR%\SYSTEM32\winmine.exe
  • %WINDIR%\ServicePackFiles\i386\faxpatch.exe
  • %WINDIR%\ServicePackFiles\i386\smlogsvc.exe
  • %WINDIR%\SYSTEM32\OLD43.tmp
  • %WINDIR%\SYSTEM32\OLD3F.tmp
  • %WINDIR%\ServicePackFiles\i386\asr_pfu.exe
  • %WINDIR%\ServicePackFiles\i386\helpctr.exe
  • %WINDIR%\SYSTEM32\tlntsvr.exe
  • %WINDIR%\SYSTEM32\mstsc.exe
  • %WINDIR%\SYSTEM32\telnet.exe
  • %WINDIR%\SYSTEM32\ie4uinit.exe
  • %WINDIR%\ServicePackFiles\i386\tscupgrd.exe
  • %WINDIR%\ServicePackFiles\i386\helpsvc.exe
  • %WINDIR%\ServicePackFiles\i386\hh.exe
  • %WINDIR%\ServicePackFiles\i386\taskmgr.exe
  • %WINDIR%\ServicePackFiles\i386\winlogon.exe
  • %WINDIR%\SYSTEM32\packager.exe
  • %WINDIR%\ServicePackFiles\i386\ahui.exe
  • %WINDIR%\SYSTEM32\diskpart.exe
  • %WINDIR%\ServicePackFiles\i386\tracerpt.exe
  • %WINDIR%\ServicePackFiles\I386\ipv6.exe
  • %WINDIR%\SYSTEM32\mshta.exe
  • %WINDIR%\SYSTEM32\routemon.exe
  • %WINDIR%\SYSTEM32\OLD51.tmp
  • %WINDIR%\SYSTEM32\OLD33.tmp
  • %WINDIR%\ServicePackFiles\i386\lang\pintlphr.exe
  • %WINDIR%\SYSTEM32\fixmapi.exe
  • %PROGRAMFILES%\windows nt\pinball\pinball.exe
  • %WINDIR%\SYSTEM32\userinit.exe
  • %WINDIR%\SYSTEM32\dpnsvr.exe
  • %WINDIR%\SYSTEM32\faxpatch.exe
  • %WINDIR%\SYSTEM32\notepad.exe
  • %WINDIR%\notepad.exe
  • %WINDIR%\SYSTEM32\mmc.exe
  • %WINDIR%\ServicePackFiles\i386\explorer.exe
  • %PROGRAMFILES%\windows nt\dialer.exe
  • %PROGRAMFILES%\outlook express\wabmig.exe
  • %WINDIR%\SYSTEM32\OLD59.tmp
  • %WINDIR%\SYSTEM32\mobsync.exe
  • %WINDIR%\SYSTEM32\dllcache\setup50.exe
  • %WINDIR%\SYSTEM32\gpupdate.exe
  • %WINDIR%\ServicePackFiles\i386\wordpad.exe
  • %WINDIR%\pchealth\helpctr\binaries\msconfig.exe
  • %WINDIR%\ServicePackFiles\i386\fxscover.exe
  • %WINDIR%\SYSTEM32\mpnotify.exe
  • %WINDIR%\ServicePackFiles\i386\sdbinst.exe
  • %WINDIR%\SYSTEM32\logagent.exe
  • %WINDIR%\SYSTEM32\OLD45.tmp
  • %WINDIR%\SYSTEM32\proquota.exe
  • %WINDIR%\SYSTEM32\mshearts.exe
  • %PROGRAMFILES%\Outlook Express\OLD22.tmp
  • %WINDIR%\SYSTEM32\tlntsess.exe
  • %WINDIR%\SYSTEM32\OLD4B.tmp
  • %WINDIR%\SYSTEM32\usmt\migwiz_a.exe
  • %WINDIR%\ServicePackFiles\I386\ntvdm.exe
  • %WINDIR%\ServicePackFiles\i386\migload.exe
  • %WINDIR%\ServicePackFiles\i386\tlntsess.exe
  • %WINDIR%\ServicePackFiles\i386\iexplore.exe
  • %WINDIR%\ServicePackFiles\i386\migwiz_a.exe
  • %WINDIR%\SYSTEM32\netdde.exe
  • %PROGRAMFILES%\Windows NT\Accessories\OLD2A.tmp
  • %WINDIR%\SYSTEM32\OLD53.tmp
  • %WINDIR%\SYSTEM32\tcpsvcs.exe
  • %WINDIR%\ServicePackFiles\i386\clipbrd.exe
  • %WINDIR%\pchealth\helpctr\binaries\helpsvc.exe
  • %WINDIR%\SYSTEM32\OLD35.tmp
  • %WINDIR%\SYSTEM32\OLD3B.tmp
  • %WINDIR%\SYSTEM32\winchat.exe
  • %WINDIR%\ServicePackFiles\i386\ctfmon.exe
  • %WINDIR%\SYSTEM32\asr_pfu.exe
  • %WINDIR%\SYSTEM32\calc.exe
  • %WINDIR%\ServicePackFiles\I386\logagent.exe
  • %WINDIR%\SYSTEM32\wbem\wbemtest.exe
  • %WINDIR%\SYSTEM32\OLD4F.tmp
  • %WINDIR%\ServicePackFiles\i386\icwconn1.exe
  • %WINDIR%\ServicePackFiles\i386\regedit.exe
  • %WINDIR%\microsoft.net\framework\netfxsbs10.exe
  • %WINDIR%\SYSTEM32\OLD47.tmp
  • %WINDIR%\ServicePackFiles\i386\lang\tintlphr.exe
  • %WINDIR%\SYSTEM32\dplaysvr.exe
  • %WINDIR%\SYSTEM32\ddeshare.exe
  • %WINDIR%\ServicePackFiles\i386\mstsc.exe
  • %WINDIR%\ServicePackFiles\i386\netsetup.exe
  • %WINDIR%\ServicePackFiles\i386\defrag.exe
  • %WINDIR%\SYSTEM32\OLD2F.tmp
  • %WINDIR%\SYSTEM32\rsmsink.exe
  • %WINDIR%\ServicePackFiles\i386\wextract.exe
  • %WINDIR%\SYSTEM32\charmap.exe
  • %WINDIR%\SYSTEM32\sndvol32.exe
  • %WINDIR%\ServicePackFiles\i386\osk.exe
  • %PROGRAMFILES%\outlook express\oemig50.exe
  • %WINDIR%\SYSTEM32\ipsec6.exe
  • %WINDIR%\SYSTEM32\syncapp.exe
  • %WINDIR%\SYSTEM32\scardsvr.exe
  • %WINDIR%\SYSTEM32\wuauclt.exe
  • %WINDIR%\ServicePackFiles\I386\net.exe
  • %WINDIR%\SYSTEM32\OLD55.tmp
  • %WINDIR%\OLD2D.tmp
  • %WINDIR%\SYSTEM32\OLD37.tmp
  • %WINDIR%\ServicePackFiles\i386\telnet.exe
  • %WINDIR%\ServicePackFiles\i386\setup50.exe
  • %WINDIR%\SYSTEM32\iexpress.exe
  • %WINDIR%\SYSTEM32\sethc.exe
  • %WINDIR%\SYSTEM32\usmt\migload.exe
  • %WINDIR%\ServicePackFiles\i386\msconfig.exe
  • %WINDIR%\SYSTEM32\tscupgrd.exe
  • %WINDIR%\SYSTEM32\OLD3D.tmp
  • %PROGRAMFILES%\Internet Explorer\OLD1C.tmp
  • %WINDIR%\regedit.exe
  • %PROGRAMFILES%\Internet Explorer\Connection Wizard\OLD1A.tmp
  • %WINDIR%\SYSTEM32\netsetup.exe
  • %PROGRAMFILES%\outlook express\wab.exe
  • %WINDIR%\SYSTEM32\dmadmin.exe
  • %WINDIR%\SYSTEM32\magnify.exe
  • %WINDIR%\msagent\agentsvr.exe
  • %WINDIR%\SYSTEM32\Restore\OLD4D.tmp
  • %WINDIR%\SYSTEM32\sol.exe
  • %WINDIR%\SYSTEM32\rsmui.exe

The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{4E5C175A-7DB9-11D3-B9E5-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\RSTRUI.EXE\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\CONTROL\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\INSERTABLE\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\LOCALSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\MISCSTATUS\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\MISCSTATUS\1\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\PROGID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\PROGRAMMABLE\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\TOOLBOXBITMAP32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\VERSION\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\VERSIONINDEPENDENTPROGID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{FD589B7C-7CE0-11D3-B9E5-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{FD589B7C-7CE0-11D3-B9E5-00C04F79E399}\LOCALSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{FD589B7C-7CE0-11D3-B9E5-00C04F79E399}\PROGRAMMABLE\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{FD589B7C-7CE0-11D3-B9E5-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1159A00E-2862-11D3-B9CF-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1159A00E-2862-11D3-B9CF-00C04F79E399}\PROXYSTUBCLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1159A00E-2862-11D3-B9CF-00C04F79E399}\PROXYSTUBCLSID32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1159A00E-2862-11D3-B9CF-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{92C71C4E-CAC8-11D3-B9FB-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{92C71C4E-CAC8-11D3-B9FB-00C04F79E399}\PROXYSTUBCLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{92C71C4E-CAC8-11D3-B9FB-00C04F79E399}\PROXYSTUBCLSID32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{92C71C4E-CAC8-11D3-B9FB-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9341D916-7CDF-11D3-B9E5-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9341D916-7CDF-11D3-B9E5-00C04F79E399}\PROXYSTUBCLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9341D916-7CDF-11D3-B9E5-00C04F79E399}\PROXYSTUBCLSID32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9341D916-7CDF-11D3-B9E5-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{CD7874B8-7D3A-11D3-B9E5-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{CD7874B8-7D3A-11D3-B9E5-00C04F79E399}\PROXYSTUBCLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{CD7874B8-7D3A-11D3-B9E5-00C04F79E399}\PROXYSTUBCLSID32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{CD7874B8-7D3A-11D3-B9E5-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E0732CA2-80DC-11D3-B9E6-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E0732CA2-80DC-11D3-B9E6-00C04F79E399}\PROXYSTUBCLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E0732CA2-80DC-11D3-B9E6-00C04F79E399}\PROXYSTUBCLSID32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E0732CA2-80DC-11D3-B9E6-00C04F79E399}\TYPELIB\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RSTRCC.RSTRPROGRESS.1\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RSTRCC.RSTRPROGRESS.1\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RSTRCC.RSTRPROGRESS\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RSTRCC.RSTRPROGRESS\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\RSTRCC.RSTRPROGRESS\CURVER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\1.0\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\1.0\0\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\1.0\0\WIN32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\1.0\FLAGS\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B545857A-1D0E-11D3-B9C7-00C04F79E399}\1.0\HELPDIR\

The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\FIRSTRUN = 734736
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\RSTRUI.EXE\APPID = {4E5C175A-7DB9-11D3-B9E5-00C04F79E399}
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BF404DA2-7D3B-11D3-B9E5-00C04F79E399}\APPID = {4E5C175A-7DB9-11D3-B9E5-00C04F79E399}
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1159A00E-2862-11D3-B9CF-00C04F79E399}\TYPELIB\VERSION = 1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{92C71C4E-CAC8-11D3-B9FB-00C04F79E399}\TYPELIB\VERSION = 1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9341D916-7CDF-11D3-B9E5-00C04F79E399}\TYPELIB\VERSION = 1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{CD7874B8-7D3A-11D3-B9E5-00C04F79E399}\TYPELIB\VERSION = 1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E0732CA2-80DC-11D3-B9E6-00C04F79E399}\TYPELIB\VERSION = 1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\HANA8O.EXE = %WINDIR%\SYSTEM32\Hana8O.exe

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants