Win32/Agent.NEQ [Threat Name] go to Threat

Win32/Agent.NEQ [Threat Variant Name]

Category trojan,virus,worm
Size 43008 B
Aliases Trojan-Dropper.Win32.Agent.eet (Kaspersky)
  Trojan.Danmec (Symantec)
  Proxy-Agent.af.trojan (McAfee)
Short description

Win32/Agent.NEQ is a trojan that is used for spam distribution. The file is run-time compressed using UPX .

Installation

When executed the trojan drops in folder %system% the following file:

  • aspimgr.exe (69632 B)

The trojan registers itself as a system service using the following name:

  • Microsoft ASPI Manager

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASPIMGR\­0000\­Control]
    • "NewlyCreated" = 0
    • "ActiveService" = "aspimgr"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASPIMGR\­0000]
    • "Service" = "aspimgr"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "DeviceDesc" = "Microsoft ASPI Manager"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_ASPIMGR]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aspimgr\­Enum]
    • "0" = "Root\­LEGACY_ASPIMGR\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aspimgr]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­aspimgr.exe"
    • "DisplayName" = "Microsoft ASPI Manager"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Sft]
Spam distribution

Win32/Agent.NEQ is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan gathers e-mail addresses from all local files.


Addresses containing the following strings are avoided:

  • .dll
  • .hlp
  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • bsd
  • bugs
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • help
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • me
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • page
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • root
  • rx.t-online
  • samples
  • secur
  • service
  • site
  • soft
  • somebody
  • someone
  • spam
  • spm
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • unix
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com
  • www
  • you
  • your
Other information

The trojan opens TCP port 80 .


The trojan creates the following files:

  • %windir%\­ws386.ini
  • %windir%\­s32.txt
  • %windir%\­g32.txt
  • %windir%\­gs32.txt
  • %windir%\­db32.txt
  • %windir%\­lg32.txt
  • %temp%\­%variable%.tmp
  • %temp%\­_check32.bat

%variable% represents a random text.


The trojan contains a list of (5) URLs.

Please enable Javascript to ensure correct displaying of this content and refresh this page.