Virus:TR/Spy.ProAg.21.3.A
Date discovered:19/09/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:246.349 Bytes
MD5 checksum:85fa8947452cfcc3da30d54f888fbf10
VDF version:6.32.00.16

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.ProAgent.21
   •  Sophos: Troj/Progent-P
   •  Grisoft: PSW.Agent.NR
   •  VirusBuster: trojan TrojanSpy.ProAgent.I
   •  Bitdefender: Trojan.Spy.Proagent.21


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %WINDIR%\qservice.exe



It overwrites a file.
%SYSDIR%\drivers\symredrv.sys

With the following contents:
   • No more Mail Scanning =)
     Powered by ProAgent




The following files are created:

– Non malicious file:
   • %TEMPDIR%\htmpl.htm

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\agnt_mps.exe
   • %SYSDIR%\agnt_fps.exe
   • %SYSDIR%\agnt_msn.exe
   • %SYSDIR%\agnt_pnc.exe
   • %SYSDIR%\agnt_mps.dat
   • %SYSDIR%\agnt_fps.dat
   • %SYSDIR%\agnt_msn.dat
   • %SYSDIR%\_pnc.dat

%SYSDIR%\drivers\KeenSense.sys This is a non malicious text file with the following content:
   • Hi criminal =)

%SYSDIR%\drivers\ksdevice.sys This is a non malicious text file with the following content:
   • Hi criminal =)

%WINDIR%\kurlmon.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.ProAgent.21.1

%WINDIR%\services.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.ProAgent.21.2

%SYSDIR%\HookApi.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.ProAgent.21

%WINDIR%\k_urlmon.dll This file contains collected keystrokes.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "qservices"="%WINDIR%\qservice.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows]
   • "qservices" = "qservices"
   • "pVer" = dword:%hex number%
   • "pPid" = dword:%hex number%

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • "ProAgent v2.1.0" <ProAgent@Yahoo.com>


To:
The recipient of the email is the following:
   • maturpejos@yahoo.com


Subject:
The following:
   • %computer name% is Online



Body:
The body of the email is the following:
   • %stolen information%

 Process termination  List of services that are disabled:
   • Norton AntiVirus Auto-Protect Service
   • Kaspersky AntiVirus
   • McAfee Shield
   • System Restore Service

 Stealing It tries to steal the following information:
– Windows Product ID
– Passwords typed into 'password input fields'
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– The following CD keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White; Call
      Of Duty; Command & Conquer Generals; Command and Conquer: Generals
      (Zero Hour); Command and Conquer: Red Alert 2; Command and Conquer:
      Tiberian Sun; Counter-Strike (Retail); Chrome; FarCry; FIFA 2002; FIFA
      2003; FIFA 2004; FIFA 2005; Freedom Force; Global Operations; Gunman
      Chronicles; Half-Life; Hidden & Dangerous 2; IGI 2: Covert Strike;
      Industry Giant 2; James Bond 007: Nightfire; Legends of Might and
      Magic; Medal of Honor: Allied Assault; Medal of Honor: Allied Assault:
      Breakthrough; Medal of Honor: Allied Assault: Spearhead; Nascar Racing
      2002; Nascar Racing 2003; Nascar Racing 2004; Nascar Racing 2005; Need
      For Speed: Underground; Need For Speed: Hot Pursuit 2; NBA Live 2003;
      NBA Live 2004; NBA Live 2005; NHL 2003; NHL 2004; NHL 2005; NHL 2002;
      NOX; NOX2; Quake III Arena; Rainbow Six III RavenShield; Shogun: Total
      War: Warlord Edition; Soldiers Of Anarchy; The Gladiators; The Sims;
      The Sims Deluxe; The Sims Hot Date; The Sims House Party; The Sims
      Livin' Large; The Sims Superstar; The Sims Unleashed; The Sims
      Vacation; Unreal Tournament 2003; Unreal Tournament 2004; Unreal
      Tournament 2005; GetBackData NTFS

– Passwords from the following programs:
   • Cute FTP
   • Flash FXP
   • WS_FTP
   • Filezilla
   • Peer FTP
   • Exeem
   • Sendlink
   • Chat Anywhere
   • FTP Now
   • Deluxe FTP
   • Morpheus
   • Bitcomet
   • Firefly
   • MSN Messenger
   • Windows Messenger
   • Yahoo Messenger
   • ICQ
   • AOL Instant Messenger
   • Trillian
   • Miranda
   • GAIM
   • Outlook Express
   • Microsoft Outlook
   • IncrediMail
   • Eudora
   • Netscape
   • Mozilla Thunderbird
   • Group Mail Free
   • Yahoo! Mail
   • Hotmail/MSN
   • Gmail

– It captures:
    • Keystrokes
    • Window information

 Injection –  It injects the following file into a process: kurlmon.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: HookApi.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: services.dll

    Process name:
   • iexplore.exe


 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • ege.edu.tr
   • ankara.edu.tr


Checks for an internet connection by contacting the following web site:
   • www.aol.com


String:
Furthermore it contains the following string:
   • [ProAgent Trojan Horse -- Coded by SIS-Team - Made in Turkey]

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own processes
– Its own registry keys

– The following file:
   • msehk.dll

– Files that contain the substring in their filename:
   • wins32

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Tuesday, April 11, 2006
Description updated by Daniel Constantin on Wednesday, April 12, 2006

Back . . . .