Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Email-Worm:W32/Agent.EV
[Summary] | [Detailed Description]

Name : Email-Worm:W32/Agent.EV
Alias:Email-Worm.Win32.Agent.ev
Size:33792
Type:Email-Worm
Category:Malware
Platform:W32
Radar

Summary
Email-Worm.Win32.Agent.ev arrives on systems as an e-mail attachment and attempts to download additional components onto the system if executed.
Back to the Top

Detailed Description
Email-Worm:W32/Agent.EV spreads as an attachment in spam e-mail with attention grabbing lines in the subject field.

The following e-mail subjects have been observed:

  • Hot News
  • Hot Pictures
  • Paris Hilton
  • Something Hot

The attachment is named Saver.zip.

When the malware is extracted and executed, it will drop the following components:

  • %Windir%\System32\WinNt32.dll
  • %Windir%\System32\WinData.cab\
  • %Windir%\System32\drivers\[name].sys

%Windir% is the Windows directory. This is usually C:\Windows.
[name] is a random filename. Observed examples are Mvd37.sys and Irv31.sys. The contents of the files are the same.
WinData.cab is a copy of WinNt32.dll.

All of the dropped components are detected as
Trojan-Downloader:W32/Agent.NSL.

The following registry entries are created to load WinNt32.dll on every system startup:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
    DLLName = WinNt32.dll
    StartShell = WLEventStartShell
    Impersonate = 00000000
    Asynchronous = 00000000
    ID = 0000003C

The following registry entries are created to start the [name].sys file as a service:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[name].sys (default) = Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[name].sys (default) = Driver
  • HKLM\SYSTEM\CurrentControlSet\Services\[name]
    Type = 00000001
    Start = 00000003
    ErrorControl = 00000000
    ImagePath = System32\drivers\[name].sys

Similar changes are made in HKLM\SYSTEM\ControlSet001\Services\[name] and HKLM\SYSTEM\ControlSet002\Services\[name].

The Trojan-Downloader:W32/Agent.NSL DLL component will then attempt to connect to one of the following addresses:

  • 66.232.113.80
  • 208.66.195.15

Other slightly modified variants may attempt to connect to different addresses.
Back to the Top



F-Secure Corporation

Last Modified: April 28, 2008