Win32/Agent.NEC [Threat Name] go to Threat

Win32/Agent.NEC [Threat Variant Name]

Category trojan,virus,worm
Size 201728 B
Detection created Oct 17, 2006
Detection database version 1808
Aliases Trojan.Win32.Obfuscated.gy (Kaspersky)
  BackDoor-DIZ.trojan (McAfee)
  TrojanProxy:Win32/Bobax.A (Microsoft)
Short description

Win32/Agent.NEC is a trojan that is used for spam distribution.


Installation

The trojan does not create any copies of itself.


The trojan registers itself as a system service using the following name:

  • %variable%

A string with variable content is used instead of %variable% .


This causes the trojan to be executed on every system start.


The trojan executes the following command:

  • net start %variable%

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters]
    • "TcpNumConnections" = 800
    • "MaxUserPort" = %randomnumber%
    • "TcpTimedWaitDelay" = 48
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • e-mail addresses

E-mail addresses are searched for in files with one of the following extensions:

  • .123
  • .c
  • .chm
  • .cpp
  • .csv
  • .dbf
  • .dif
  • .doc
  • .eps
  • .h
  • .htm
  • .html
  • .hwp
  • .info
  • .jtd
  • .mab
  • .nfo
  • .ott
  • .pdf
  • .php
  • .ps
  • .rtf
  • .sdc
  • .sdw
  • .slk
  • .sxw
  • .sys
  • .tmp
  • .txt
  • .wab
  • .wk1
  • .wks
  • .wpd
  • .wps
  • .xls
  • .xml

The collected information is stored in the following file:

  • %temp%\­%variable1%%variable2%.tmp

The %variable1% is one of the following strings:

  • cjnr4r4
  • dior4f4
  • nlkfev7
  • sklrr7y
  • mlsdf8h

A string with variable content is used instead of %variable2% .


The trojan attempts to send gathered information to a remote machine.

Spam distribution

Win32/Agent.NEC is a trojan that is used for spam distribution.


The message depends entirely on data the trojan downloads from the Internet.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (52) URLs. The trojan generates various URL addresses. The HTTP, UDP, SMTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send spam

The trojan terminates specific running processes.


The following services are disabled:

  • SpoolSvc%number%

The %number% is one of the following strings:

  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235

Please enable Javascript to ensure correct displaying of this content and refresh this page.