MSIL/Spy.Agent.AKO [Threat Name] go to Threat

MSIL/Spy.Agent.AKO [Threat Variant Name]

Category trojan
Size 887808 B
Detection created Jan 19, 2016
Detection database version 12893
Aliases Trojan.Win32.Droma.zek (Kaspersky)
  TrojanSpy:Win32/Skeeyah.A!rfn (Microsoft)
  PSW.MSIL.AZPI.trojan (AVG)
  TR/Dropper.MSIL.nmcn (Avira)
Short description

MSIL/Spy.Agent.AKO is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%
  • %localappdata%\­%variable1%\­%variable2%
  • %personal%\­%variable1%\­%variable2%
  • %temp%\­%variable1%\­%variable2%

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "%malwarefilepath%"

The trojan may create the following files:

  • %temp%\­EBFile_%variable5%
  • %temp%\­BFile_%variable6%

A string with variable content is used instead of %variable1-6% .


The files are then executed.


The trojan launches the following processes:

  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe /stext "%appdata%\­Helper\­Browser.txt"
  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe /stext "%appdata%\­Helper\­Mail.txt"
  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe /stext "%appdata%\­Helper\­Mess.txt"
  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe /stext "%appdata%\­Helper\­OS.txt"

The trojan creates and runs a new thread with its own code within these running processes.


The trojan quits immediately if any of the following applications is detected:

  • Sandboxie
  • Wireshark
  • Winsock Packet Editor (WPE) Pro

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • computer name
  • operating system version
  • language settings
  • installed firewall application
  • installed antivirus software
  • default Internet browser

The following programs are affected:

  • Beyluxe Messenger
  • CoreFTP
  • Eudora
  • Exchange Server
  • FileZilla
  • Google Chrome
  • Group Mail Free
  • IncrediMail
  • Internet Explorer
  • Live Messenger
  • Microsoft Office
  • Microsoft Outlook
  • Minecraft
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Netscape
  • Opera
  • Outlook Express
  • Runescape
  • Safari
  • SQL Server
  • Windows
  • Windows Live Mail
  • Windows Mail
  • Windows Messenger
  • Yahoo! Mail

It can execute the following operations:

  • log keystrokes
  • capture screenshots
  • capture webcam picture

The trojan attempts to send gathered information to a remote machine.


The FTP, HTTP protocol or e-mail is used.

Other information

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • display a dialog window
  • open a specific URL address
  • terminate running processes
  • block access to specific websites
  • send gathered information

The trojan can modify the following file:

  • %system%\­drivers\­etc\­hosts

The trojan may delete the following files:

  • %appdata%\­.minecraft\­lastlogin
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Login Data
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Web Data
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Cookies
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­History
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­Login Data
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­signons.txt
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­signons2.txt
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­signons3.txt
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­signons.sqlite
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­key3.db

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = "1"
    • "DisableCMD" = "1
    • "DisableRegistryTools" = "1"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rstrui.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AvastSvc.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avconfig.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AvastUI.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avscan.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­instup.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbam.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamgui.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbampt.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamscheduler.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamservice.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­hijackthis.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spybotsd.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccuac.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avcenter.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgnt.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgui.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgcsrvx.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgidsagent.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgrsx.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgwdsvc.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zlclient.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­keyscrambler.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­wireshark.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ComboFix.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MSASCui.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpCmdRun.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msseces.exe]
    • "Debugger" = "rundll32.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MsMpEng.exe]
    • "Debugger" = "rundll32.exe"

The modified Registry entries will prevent specific files from being executed.


The trojan may execute the following commands:

  • cmd.exe /C TASKKILL /F /IM wscript.exe
  • cmd.exe /C TASKKILL /F /IM cmd.exe

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.