Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionWin32/Agent.ECD installs a backdoor that can be controlled remotely. The backdoor sends links to MSN users. The file is run-time compressed using Armadillo .
InstallationWhen executed, the backdoor copies itself in the %system% folder using the following name:
In order to be executed on every system start, the backdoor sets the following Registry entry:
The following Registry entries are set:
"NTSpool" = "NTSpool.exe"
The backdoor creates and runs a new thread with its own program code within the following processes:
"TrapPollTimeMilliSecs" = 15000
Spreading via IM networksThe backdoor sends links to MSN users.
The messages may contain any of the following texts:
The attachment is a archive file containig an executable.
- WoW? is that really you... what the hell where you drinking :D
- LOL, you look so ugly in this picture, no joke...
- Should I put this on facebook/myspace?
- Hey m8, who is this on the right, in this picture...
- Sup, seen the pictures from the other night?
Other informationThe backdoor quits immediately if it detects a window containing one of the following strings in its title:
The backdoor is sent data and commands from a remote computer or the Internet. It can be controlled remotely.
- (Untitled) - Etheral
- The Wireshark Network Analyzer
- Packetyzer - [Capture Session]
- Sniffem Win32
It communicates with the following server using IRC protocol:
It can execute the following operations:
- sendtoother.whyI.org (TCP port 2002)
- download files from a remote computer and/or Internet
- terminate running processes
- retrieve information from protected storage and send it to a