Win32/Spy.BZub [Threat Name] go to Threat

Win32/Spy.BZub.NAC [Threat Variant Name]

Category trojan
Size 80600 B
Detection created Aug 15, 2006
Detection database version 1707
Aliases (Kaspersky)
  Spy-Agent.ak (McAfee)
  Infostealer.Bzup (Symantec)
Short description

Win32/Spy.BZub.NAC is a trojan that steals passwords and other sensitive information.


The following file is dropped into the %system% folder:

  • agent_dq.dll

It is a Browser Helper Object for Internet Explorer .

Size of the file is 60928 B .

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­AppID\­{73364D99-1240-4dff-B11A-67E448373048}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • (Default) =  "%system%\­ipv6mons.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • "ThreadingModel" = "apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{73364D99-1240-4dff-B11A-67E448373048}\­InprocServer32]
    • "Enable Browser Extensions" = "yes"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "C:\­Program Files\­Internet Explorer\­IEXPLORE.EXE" = "C:\­Program Files\­Internet Explorer\­IEXPLORE.EXE:*:Enabled:Internet Explorer
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­loadnet_insll]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­worg]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­cmpid]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­forwas]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­h]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­nw]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­load\­wspopp]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­browser helper obJects\­{73364D99-1240-4dff-B11A-67E448373048}]
Information stealing

The trojan collects various information when Internet Explorer is being used to access the following sites:

  • app/
  • app/
  • https://*
  • https://signin.ebay*/ws/eBayISAPI.dll

Some information is found in local files too.

The following information is collected:

  • passwords
  • URLs visited
  • HTML forms content
  • computer name
  • computer IP address
  • Outlook Express account data
  • digital certificates

The data is saved in the %system% folder in the following files:

  • form.txt
  • info.txt
  • shot.html

The trojan can send the information to a remote machine.

The FTP protocol is used.

Other information

The trojan may attempt to delete all files on the C: drive and various program files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.