MSIL/Agent.BC [Threat Name] go to Threat

MSIL/Agent.BC [Threat Variant Name]

Category worm
Size 22165 B
Detection created Mar 31, 2011
Detection database version 6004
Aliases Trojan-Downloader.Win32.Dapato.gyv (Kaspersky)
  Trojan:Win32/Dynamer!dtc (Microsoft)
  GenericDownloader.x!g2x.trojan (McAfee)
Short description

MSIL/Agent.BC is a worm which tries to download other malware from the Internet. It is able to spread via removable media, IM and social networks.

Installation

The worm does not create any copies of itself.


The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Internet" = "%temp%\­Internet.exe"
Spreading

MSIL/Agent.BC is a worm that spreads through social networking sites.


The worm spreads through links which point to websites containing malware.


The following social networking sites are affected:

  • Facebook
Spreading via IM networks

The worm sends links to Skype, mIRC users.


The message contains a URL link to a website containing malware.


Body of the message is the following:

  • http://syroni%removed%host.de/ this girl is soo damn hot
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • 007.exe

The following file is created in the same folders:

  • 007.lnk (1132 B)

The file is a shortcut to a malicious file.

Other information

The worm contains a list of (2) URLs.


The worm can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­windows.exe

The worm modifies the following file:

  • %appdata%\­mIRC\­scripts\­remote.ini

The worm writes the following entries to the file:

  • [script]
    • n0=on 1:JOIN:#:/privmsg $nick http://syroni%removed%host.de/ this girl is soo damn hot

Please enable Javascript to ensure correct displaying of this content and refresh this page.