Virus:ADSPY/Agent.AP.7
Date discovered:26/02/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:88.340 Bytes
MD5 checksum:fc2936e5c2c1bcfcaaf40c8a7f2f69b9
VDF version:6.37.01.155
IVDF version:6.37.01.162 - Monday, February 26, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: AdWare.Win32.Agent.at
   •  TrendMicro: TROJ_AGENT.GZU
   •  VirusBuster: Adware.Agent.AT
   •  Eset: Win32/Adware.Toolbar.SearchColours
   •  Bitdefender: Trojan.Agent.ACL


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification

 Files The following file is created:

%PROGRAM FILES%\VSAdd-in\VSAdd-in.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.ACL

 Registry The following registry keys are added:

– [HKCR\CLSID\{74DD705D-6834-439C-A735-A6DBE2677452}]
   • @="&VSAdd-in"

– [HKCR\CLSID\{74DD705D-6834-439C-A735-A6DBE2677452}\InProcServer32]
   • @="%PROGRAM FILES%\VSAdd-in\VSAdd-in.dll"
   • "ThreadingModel"="Apartment"

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
   • "{74DD705D-6834-439C-A735-A6DBE2677452}"=hex:00

– [HKCR\CLSID\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}]
– [HKCR\CLSID\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\InProcServer32]
   • @="%PROGRAM FILES%\VSAdd-in\VSAdd-in.dll"
   • "ThreadingModel"="Apartment"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {74DD705D-6834-439C-A735-A6DBE2677452}]
   • "DisplayName"="VSAdd-in for Internet Explorer"
   • "UninstallString"="regsvr32.exe /u /s \"%PROGRAM FILES%\VSAdd-in\VSAdd-in.dll""

– [HKCU\Software\Search Toolbar Corp]
– [HKCU\Software\Search Toolbar Corp\Toolbar Vision]
– [HKCU\Software\Search Toolbar Corp\Toolbar Vision\Options]
   • "New Window"=dword:00000000
   • "Show Page Search"=dword:00000001
   • "Sort Method"=dword:00000002
   • "Default Action"=dword:00000002

 Backdoor Contact server:
The following:
   • http://123topsearch.com/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack

Description inserted by Adriana Popa on Thursday, March 1, 2007
Description updated by Adriana Popa on Thursday, March 1, 2007

Back . . . .