Threat Description

Email-Worm:​W32/Agent.EV

Details

Aliases:Email-Worm:​W32/Agent.EV
Category:Malware
Type:Email-Worm
Platform:W32

Summary



Email-Worm.Win32.Agent.ev arrives on systems as an e-mail attachment and attempts to download additional components onto the system if executed.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Email-Worm:W32/Agent.EV spreads as an attachment in spam e-mail with attention grabbing lines in the subject field.

The following e-mail subjects have been observed:

  • Hot News
  • Hot Pictures
  • Paris Hilton
  • Something Hot

The attachment is named Saver.zip.

When the malware is extracted and executed, it will drop the following components:

  • %Windir%\System32\WinNt32.dll
  • %Windir%\System32\WinData.cab\
  • %Windir%\System32\drivers\[name].sys

%Windir% is the Windows directory. This is usually C:\Windows.[name] is a random filename. Observed examples are Mvd37.sys and Irv31.sys. The contents of the files are the same.WinData.cab is a copy of WinNt32.dll.

All of the dropped components are detected asTrojan-Downloader:W32/Agent.NSL.

The following registry entries are created to load WinNt32.dll on every system startup:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32DLLName = WinNt32.dllStartShell = WLEventStartShellImpersonate = 00000000Asynchronous = 00000000ID = 0000003C

The following registry entries are created to start the [name].sys file as a service:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[name].sys (default) = Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[name].sys (default) = Driver
  • HKLM\SYSTEM\CurrentControlSet\Services\[name]Type = 00000001Start = 00000003ErrorControl = 00000000ImagePath = System32\drivers\[name].sys

Similar changes are made in HKLM\SYSTEM\ControlSet001\Services\[name] and HKLM\SYSTEM\ControlSet002\Services\[name].

The Trojan-Downloader:W32/Agent.NSL DLL component will then attempt to connect to one of the following addresses:

  • 66.232.113.80
  • 208.66.195.15

Other slightly modified variants may attempt to connect to different addresses.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More