Win32/Agent.NGP [Threat Name] go to Threat

Win32/Agent.NGP [Threat Variant Name]

Category worm
Size 28567 B
Detection created Feb 08, 2007
Detection database version 2046
Aliases Worm.Win32.Agent.xb (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.dx!pv (McAfee)
Short description

The worm sends links to Yahoo! Messenger users. If the link is clicked a copy of the worm is downloaded. The file is run-time compressed using MEW .

Installation

When executed the worm copies itself in the following locations:

  • %windir%\­Java.exe
  • %system%\­Cexplorer.exe
  • C:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­Dap32.exe
  • D:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­Winrar.exe
  • E:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­User.cmd
  • F:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­System.exe
  • C:\­Setup.exe
  • D:\­Scree.scr
  • E:\­Winamp.pif
  • F:\­sex.html.cmd
  • I:\­OfficeSetup.pif
  • J:\­New_IE.exe

The worm creates the following folders:

  • c:\­amircivil1
  • c:\­amircivil2
  • c:\­amircivil3
  • c:\­amircivil4
  • c:\­amircivil5
  • c:\­amircivil6

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "%windir%\­Java.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Win32Usr" = "%system%\­Cexplorer.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Ole]
    • "EnableDCOM" = "N"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­ComputerName\­ComputerName]
    • "ComputerName" = "ydfe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewal" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
Spreading via IM networks

The worm sends links to Yahoo! Messenger users.


The messages may contain any of the following texts:

  • :x :x Yahoo Tedy: http://h1.ripway.com/tedy2007/Folder[%removed%]   :x

If the link is clicked a copy of the worm is downloaded.

Other information

The worm terminates processes with any of the following strings in the name:

  • 02D30.exe
  • ACKWIN32.exe
  • ADAWARE.exe
  • ADVXDWIN.exe
  • AGENTSVR.exe
  • AGENTW .exe
  • ALERTSVC.exe
  • ALEVIR.exe
  • ALOGSERV.exe
  • AmIrCiViL
  • AMON9X .exe
  • ANTI-TROJAN.exe
  • ANTIVIRUS
  • ANTS
  • APIMONITOR
  • APLICA32
  • APVX
  • ARR
  • ATCON
  • ATRO55EN
  • ATUPDATER
  • ATUPDATER.exe
  • ATWATCH
  • AU .exe
  • AUPDATE.exe
  • AUPDATE.exe
  • AUTODOWN
  • AUTODOWN
  • AUTO-PROTECT
  • AUTOTRACE
  • AUTOTRACE
  • AUTOUPDATE
  • AUTOUPDATE
  • AVCONSOL
  • AVE32
  • AVGCC32
  • AVGCTRL
  • AVGNT
  • AVGSERV.exe
  • AVGSERV9
  • AVGW.exe
  • AVKPOP
  • AVKSERV
  • AVKSERVICE
  • AVKWCTl9
  • AVLTMAIN
  • AVNT
  • AVP
  • AVP32
  • AVPCC
  • AVPDOS32
  • AVPM
  • AVPTC32
  • AVPUPD
  • AVPUPD.exe
  • AVSCHED32
  • AVSYNMGR.exe
  • AVWINNT
  • AVWUPD
  • AVWUPD32
  • AVWUPD32
  • AVWUPSRV
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • AVXQUAR
  • BACKWEB
  • BARGAINS
  • BD_PROFESSIONAL
  • BEAGLE.exe
  • BELT.exe
  • BIDEF
  • BIDSERVER
  • BIPCP
  • BIPCPEVALSETUP
  • BISP
  • BLACKD
  • BLACKICE
  • BLSS
  • BOOTCONF
  • BOOTWARN
  • BORG2
  • BPC
  • BRASIL
  • BS120
  • BUNDLE
  • BVT.exe
  • CCAP.exeP.
  • CCEVTMGR
  • CCPXYSVC
  • CDP
  • CFD
  • CFGWIZ
  • CFIADMIN
  • CFIAUDIT
  • CFINET
  • CFINET32
  • CLEAN
  • CLEANER
  • CLEANER3
  • CLEANPC
  • CLICK.exe
  • CMD32.exe
  • CMESYS
  • CMGRDIAN
  • CMON016
  • CONNECTIONMONITOR
  • CPD
  • CPF9X206
  • CPFNT206
  • CTRL
  • CV
  • CWNB181
  • CWNTDWMO
  • D.exe
  • DWIN
  • IEXPLORER
  • IFACE
  • IFW2000
  • INETLNFO.exe
  • INFUS.exe
  • INFWIN
  • INIT
  • INSTALL.exe
  • install.exe
  • INTDEL
  • INTREN
  • IOMON98
  • ISTSVC
  • JAMMER
  • JDBGMRG
  • JEDI
  • KAVLITE40ENG
  • KAVPERS40ENG
  • KAVPF
  • KAZZA
  • KEENVALUE
  • KERIO-PF-213-EN-WIN
  • KERIO-WRL-421-EN-WIN
  • KERIO-WRP-421-EN-WIN
  • KERNEL32.exe
  • KILLPROCESSSETUP161
  • LAUNCHER
  • LDNETMON
  • LDPRO
  • LDPROMENU
  • LDSCAN
  • LNETINFO
  • LOADER
  • LOCALNET
  • LOCKDOWN
  • LOCKDOWN2000
  • LOOKOUT .exe
  • LORDPE
  • LSETUP.exe
  • LUALL.exe
  • LUAU.exe
  • LUCOMSERVER.exe
  • LUINIT.exe
  • LUSPT
  • MAPISVC32
  • MCAGENT
  • MCMNHDLR
  • MCSHIELD
  • MCTOOL
  • MCUPDATE
  • MCUPDATE
  • MCVSRTE
  • MCVSSHLD
  • MD.exe
  • MFIN32
  • MFW2EN .exe
  • MFWENG3
  • MGAVRTCL.exe
  • MGAVRTE.exe
  • MGHTML
  • mghtml.exe
  • MGUI
  • MINILOG
  • MMOD
  • MONITOR
  • MOOLIVE
  • MOSTAT
  • MPFAGENT
  • MpfConsole.exe
  • MPFSERVICE
  • MPFTRAY
  • MRFLUX
  • MSAPP
  • MSBB.exe
  • MSBLAST
  • MSCACHE
  • MSCCN32
  • MSCMAN
  • MSCONFIG
  • MSDM
  • MSDOS
  • MSIEXEC16
  • MSINFO32
  • MSLAUGH
  • MSMGT
  • MSMSGRI32
  • MSSMMC32
  • MSSYS
  • MSVXD.exe
  • MU0311AD.exe
  • MWATCH
  • N32SCANW
  • NAV
  • NAV32.exe
  • NAV80TRY
  • NAVAP
  • NAVAPSVC
  • NAVAPSVC
  • NAVAPW32
  • NAVDX
  • NAVLU32
  • NAVNT
  • NAVSTUB
  • NAVW32
  • NAVWNT
  • NC2000
  • NCINST4
  • NDD32
  • NEOMONITOR
  • NEOWATCHLOG
  • NETARMOR
  • NETD32
  • NETINFO
  • NETMON
  • NETSCANPRO
  • NETSPYHUNTER-1.2
  • NETSTAT
  • NETUTILS
  • NISSERV
  • NISUM
  • NMAIN
  • NOD32.exe
  • NORMIST
  • NORTON_INTERNET_SECU_3.0_407
  • notepad.exe
  • NOTSTART.exe
  • NPF40_TW_98_NT_ME_2K
  • NPFMESSENGER
  • NPROTECT
  • NPSCHECK
  • NPSSVC
  • NSCHED32
  • NSSYS32
  • NSTASK32
  • NSUPDATE
  • NT
  • NTRTSCAN
  • NTVDM
  • NTXconfig
  • NUI
  • NUPGRADE
  • NUPGRADE
  • NVARCH16
  • NVC95.exe
  • NVSVC32
  • NWINST4
  • NWSERVICE
  • NWTOOL16
  • OLLYDBG
  • ONSRVR
  • OPTIMIZE
  • OSTRONET
  • OTFIX
  • OUTPOST
  • OUTPOST
  • OUTPOSTINSTALL
  • OUTPOSTPROINSTALL
  • PADMIN
  • PANIXK.exe
  • PATCH
  • PAVCL
  • PAVPROXY
  • PAVSCHED
  • PAVW
  • PCFWALLICON
  • PCIP10117_0
  • PCSCAN
  • PDSETUP
  • PERISCOPE
  • PERSFW
  • PERSWF
  • PF2
  • PFWADMIN
  • PGMONITR.exe
  • PINGSCAN
  • PLATIN.exe
  • POP3TRAP
  • POPROXY
  • POPSCAN
  • PORTDETECTIVE
  • PORTMONITOR
  • POWERSCAN
  • PPINUPDT
  • PPTBC
  • PPVSTOP
  • PRIZESURFER
  • PRMT
  • PRMVR
  • PROCDUMP.exe
  • PROCESSMONITOR
  • PROCEXPLORERV1.0.exe
  • PROGRAMAUDITOR
  • PROPORT
  • PROTECTX
  • PSPF
  • PURGE
  • QCONSOLE
  • QSERVER
  • RAPAPP
  • RAV7
  • RAV7WIN
  • RAV8WIN32ENG
  • RAY
  • RB32
  • RCSYNC.exe
  • REALMON.exe
  • REGEDIT.exe
  • regedit.exe
  • REGEDT32.exe
  • RESCUE
  • RESCUE32
  • RRGUARD.exe
  • RSHELL.exe
  • RTVSCAN.exe
  • RTVSCN95.exe
  • RULAUNCH
  • RUN32DLL
  • RUNDLL
  • RUNDLL16
  • RUXDLL32
  • SAFEWEB
  • SAHAGENT
  • SAVE
  • SAVENOW
  • SBSERV.exe
  • SC.exe
  • SCAM32
  • SCAN32
  • SCAN95.exe
  • SCANPM
  • SCRSCAN
  • setup.exe
  • SETUP_FLOWPROTECTOR_US..SFC.SGSSFW32
  • SETUPVAMEEVAL
  • SH
  • SHELLSPY
  • SHN.exe
  • SHOWBEHIND.exe
  • SMC
  • SMS.exe
  • SMSS3.exe2
  • SOAP.exe
  • SOFI.exe
  • SPERM
  • SPF
  • SPHINX
  • SPOLER
  • SPOOLCV
  • SPOOLSV32
  • SPYXX
  • SREXE
  • SRNG
  • SS3EDIT.exe
  • SSG_4104
  • SSGRATE.exe
  • ST2
  • START
  • STCLOADER.exe
  • SUPFTR.exeL
  • SUPPORT.exe
  • SUPPORTER5.exe
  • SVC.exe
  • SVCHOSTC.exe
  • SVCHOSTS
  • SVSHOST
  • SWEEP95
  • SWEEPNET
  • SWEEPSRV.SYS
  • SWNETSUP
  • SYMPROXYSVC
  • SYMTRAY
  • SYSEDIT
  • SYSTEM.exe
  • SYSTEM32.exe
  • SYSUPD.exe
  • TASKMG.exe
  • taskmgr.exe
  • TASKMO.exe
  • TASKMON.exe
  • TAUMON.exe
  • TBSCAN.exe
  • TC.exe
  • TCA.exe
  • TCM.exe
  • TDS2-NT.exe
  • TDS-3
  • TEEKIDS.exe
  • TFAK
  • TFAK5
  • TGBOB
  • TITANIN
  • TITANINXP
  • TRACERT
  • TRICKLER
  • TRJSCAN
  • TRJSETUP
  • TROJANTRAP3
  • TSADBOT
  • TVMD.exe
  • TVTMD.exe
  • UNDOBOOT.exe
  • UPDAT.exe
  • UPDATE.exe
  • UPDATE.exe
  • UPGRA.exe
  • UTPOST
  • vb6.exe
  • VBCMSERV
  • VBCONS
  • VBUST
  • VBWIN9X
  • VBWINNTW
  • VCSETUP
  • VET32
  • VET95

The worm launches the following processes:

  • makecab C:\­Setup.exe C:\­Update.zip
  • makecab D:\­Scree.scr D:\­New.zip
  • makecab E:\­Winamp.pif E:\­Winamp2007.zip
  • makecab F:\­sex.html.cmd F:\­TutorialSex.zip
  • makecab I:\­OfficeSetup.pif I:\­Office2007.zip
  • makecab J:\­New_IE.exe J:\­InternetExplorer7.zip
  • notepad.exe ha ha ha
  • explorer.exe
  • shutdown.exe -s

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Explorer" = "%filepath%"
    • "system" = "%filepath%"
    • "msgsvr32" = "%filepath%"
    • "winupd.exe" = "%filepath%"
    • "direct.exe" = "%filepath%"
    • "jijbl" = "%filepath%"
    • "service" = "%filepath%"
    • "Sentry" = "%filepath%"
    • "Bron-Spizaetus" = "%filepath%"
    • "avserve.exe" = "%filepath%"
    • "Tiny AV" = "%filepath%"
    • "avserve2.exe" = "%filepath%"
    • "napatch.exe" = "%filepath%"
    • "avserve3.exe" = "%filepath%"
    • "wserver" = "%filepath%"
    • "Shell Extension" = "%filepath%"
    • "Windows Email Server" = "%filepath%"
    • "MSN" = "%filepath%"
    • "LSA" = "%filepath%"
    • "syshelp" = "%filepath%"
    • "WinGate initialize " = "%filepath%"
    • "Module Call initialize" = "%filepath%"
    • "Wxp4" = "%filepath%"
    • "_Hazafibb" = "%filepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Explorer" = "%filepath%"
    • "au.exe" = "%filepath%"
    • "direct.exe " = "%filepath%"
    • "d3dupdate.exe" = "%filepath%"
    • "OLE " = "%filepath%"
    • "gouday.exe " = "%filepath%"
    • "rate.exe " = "%filepath%"
    • "Taskmon " = "%filepath%"
    • "Windows Services Host " = "%filepath%"
    • "sysmon.exe" = "%filepath%"
    • "srate.exe" = "%filepath%"
    • "ssate.exe " = "%filepath%"
    • "winupd.exe" = "%filepath%"
    • "Tok-Cirrhatus" = "%filepath%"
    • "wingo" = "%filepath%"
    • "LSA" = "%filepath%"
    • "AmirCivil = "%filepath%"

Please enable Javascript to ensure correct displaying of this content and refresh this page.