Win32/Agent.ECD [Threat Name] go to Threat

Win32/Agent.ECD [Threat Variant Name]

Category trojan
Size 753664 B
Detection created Jan 23, 2008
Detection database version 2816
Aliases Trojan.Win32.Agent.ftz (Kaspersky)
  W32.Spybot.Worm (Symantec)
  Generic.dx.trojan (McAfee)
Short description

Win32/Agent.ECD installs a backdoor that can be controlled remotely. The trojan sends links to MSN users. The file is run-time compressed using Armadillo .

Installation

When executed, the trojan copies itself into the %system% folder using the following name:

  • NTSpool.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "NTSpool" = "NTSpool.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­RFC1156Agent\­CurrentVersion\­Parameters]
    • "TrapPollTimeMilliSecs" = 15000
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Licenses]
    • {K7C0DB872A3F777C0}
    • {I29A5EA887C231048}

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
Spreading via IM networks

The trojan sends links to MSN users. The messages may contain any of the following texts:

  • WoW? is that really you... what the hell where you drinking :D
  • LOL, you look so ugly in this picture, no joke...
  • Should I put this on facebook/myspace?
  • Hey m8, who is this on the right, in this picture...
  • Sup, seen the pictures from the other night?

The attachment is a/an archive file containig an executable.

Other information

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • SmartSniff
  • (Untitled) - Etheral
  • The Wireshark Network Analyzer
  • Packetyzer - [Capture Session]
  • Sniffem Win32
  • SerialSniffer
  • TCPView - Sysinternals: www.sysinternals.com
  • WPE PRO
  • File Monitor - Sysinternals: www.sysinternals.com

The trojan acquires data and commands from a remote computer or the Internet.


It communicates with the following server using IRC protocol:

  • sendtoother.whyI.org (TCP port 2002)

It can be controlled remotely.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • terminate running processes
  • retrieve information from protected storage and send it to the remote computer
  • stop itself for a certain time period
  • update itself to a newer version
  • set up an FTP server
  • perform port scanning
  • spread via MSN network
  • remove itself from the infected computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.