SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.Agent.NKG

MEDIUM
MEDIUM
96 KB
(I-Worm/VB.TP, Win32:VB-CMK, W32/MadCoffee.F.worm, 32.SillyWNSE, Email-Worm.Win32.VB.cb)

Symptoms

Presence of the following files:
%windir%\system32\BttnServ.exe

Presence of %windir%\svchost.exe as an active process

On removable storages:
Presence of the following files:
\NewFolder.exe with a folder icon

Removal instructions:

Kill the process %windir%\svchost.exe

Delete the file %windir%\system32\BttnServ.exe and any files that the virus created on your removable media

Remove the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN

Please let BitDefender disinfect your files.

Analyzed By

Tudor Bura, virus researcher

Technical Description:

This trojan is received as a 98304 Byte-file, written in Visual Basic, having a Folder icon, in order to get the user to execute it.
Upon execution this worm file will copy itself as the following files:
%windir%\svchost.exe
%windir%\system32\BttnServ.exe

The files are hidden

Next, the trojan will execute the file %windir%\svchost.exe and also set the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default) to %windir%\svchost.exe

The received file will close it's process.

Upon running, %windir%\svchost.exe will remain active in memory, and will delete itself from the hard disk

The trojan has an invisible window so will run in the background.

It ensures that it will be ran after the next reboot by setting the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN to %windir%\system32\BttnServ.exe

While running, the trojan will read any text box from any Internet Explorer window and store the contents of them. The read process is repeated everey 500 ms. The trojan will send the read informations using  MAPI (an architecture for messaging applications)

The messages are sent to http://mail.madcoffee.com/index.php with the user OperationDefecha@yahoo.com