Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.ECD installs a backdoor that can be controlled remotely. The backdoor sends links to MSN users. The file is run-time compressed using Armadillo .
When executed, the backdoor copies itself in the %system% folder using the following name:
  • NTSpool.exe
In order to be executed on every system start, the backdoor sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    "NTSpool" = "NTSpool.exe"
The following Registry entries are set:
    "TrapPollTimeMilliSecs" = 15000
The backdoor creates and runs a new thread with its own program code within the following processes:
  • svchost.exe
Spreading via IM networks
The backdoor sends links to MSN users.

The messages may contain any of the following texts:
  • WoW? is that really you... what the hell where you drinking :D
  • LOL, you look so ugly in this picture, no joke...
  • Should I put this on facebook/myspace?
  • Hey m8, who is this on the right, in this picture...
  • Sup, seen the pictures from the other night?
The attachment is a archive file containig an executable.
Other information
The backdoor quits immediately if it detects a window containing one of the following strings in its title:
  • SmartSniff
  • (Untitled) - Etheral
  • The Wireshark Network Analyzer
  • Packetyzer - [Capture Session]
  • Sniffem Win32
The backdoor is sent data and commands from a remote computer or the Internet. It can be controlled remotely.

It communicates with the following server using IRC protocol:
  • (TCP port 2002)
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • terminate running processes
  • retrieve information from protected storage and send it to a
    remote computer