MSIL/Spy.Agent.JH [Threat Name] go to Threat

MSIL/Spy.Agent.JH [Threat Variant Name]

Category trojan
Size 731136 B
Detection created Jul 22, 2013
Detection database version 8596
Aliases Backdoor.Win32.Androm.begg (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  MSIL:Agent-AQW (Avast)
Short description

MSIL/Spy.Agent.JH is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%malwarefilename%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "Shell" = "%appdata%\­%malwarefilename%"

The trojan creates the following files:

  • %temp%\­1.vbs (VBS/Starter.NAO)
  • %temp%\­tmp.bat

The files are then executed.


The trojan creates the following folders:

  • %appdata%\­Microsoft\­
  • %appdata%\­Microsoft\­Backups\­

The trojan launches the following processes:

  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

MSIL/Spy.Agent.JH is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • computer name
  • CPU information
  • memory status
  • installed firewall application
  • installed antivirus software
  • the path to specific folders
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • FTP account information
  • e-mail accounts data
  • Bitcoin wallet contents
  • screenshots

The following programs are affected:

  • CoreFTP
  • DynDNS
  • EpicBot
  • Eudora
  • FileZilla
  • Gmail Notifier
  • Google Chrome
  • Google Desktop
  • Google Talk
  • Group Mail Free
  • IMVU
  • IncrediMail
  • Internet Download Manager
  • Internet Explorer
  • Live Messenger
  • Microsoft Outlook
  • Minecraft
  • Mozilla Firefox
  • Mozilla Thunderbird
  • MSN Messenger
  • Netscape 6.x/7.x
  • Nimbuzz
  • No-IP
  • Opera
  • Outlook Express
  • Pidgin
  • RareBot
  • RSBot
  • Safari
  • SmartFTP
  • Spotify
  • Steam
  • Windows Live Mail
  • Windows Mail
  • Windows Messenger
  • Yahoo! Messenger

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP, FTP, SMTP protocol is used.

Other information

The trojan sends links to Skype users.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoControlPanel" = 1
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • delete cookies
  • send IM messages

The trojan contains the following text:

  • Limitless Logger

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.