Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm-IM.agent Analysis Report
Threat Submitted On: 9/19/2008 5:09:10 AM
Threat Analysed On: 9/19/2008 10:09:10 AM
Threat Updated On: 1/28/2011 5:54:20 PM
Type : Worm-IM
Symptoms of agent
  • Spreads through Instant Messaging.
  • Sends itself to the Contact lists of the IM.
  • The users can sometimes be duped to accept the message due to the social engineering techniques adopted by the worm.
Information
Alias : im-worm.win32.agent.ej
Md5 Hash : [c9341c66ec2abcc2022f181ff36b62c6]
File Size : [Not Available]

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: cmd32.exe
Path : %programfiles%\bifrost

Md5Hash :ba8620081c0ef934b5305e7196d1286a ( 162836 bytes)
File: server.exe
Path : %programfiles%\bifrost

Md5Hash :78d5965065d7954f156e2eeba7bfb669 ( 126333 bytes)
File: [RandomName].exe
Path : %workingdir%

Md5Hash :568163af07d7b1c74c9c70d18c0c77f6 ( 13312 bytes)
File: ae11b9~1.exe
Path : %workingdir%

Md5Hash :edb4ecb2c1cb3f3171c187b0bfd76463 ( bytes)
File: aquzz.exe
Path : %workingdir%

Md5Hash :2cffd1759c911ee024b516f195f8428e ( 132608 bytes)
File: c9341c~1.exe
Path : %workingdir%

Md5Hash :edb4ecb2c1cb3f3171c187b0bfd76463 ( bytes)
File: odjpg.exe
Path : %workingdir%

Md5Hash :6c244a09f8488225837a4fb966f485ab ( 100864 bytes)
File: ugqdo.exe
Path : %workingdir%

Md5Hash :b2358df91a2462155545c6fa8fd84b2a ( 221184 bytes)
File: yruwn.exe
Path : %workingdir%

Md5Hash :e50a3afb423705298cf32df6bb7b6429 ( 153088 bytes)
File: system.exe
Path : %systemdrive%

Md5Hash :86c612e7bff373f21ec6fe9b60b873a7 ( 90113 bytes)
File: msnmsgs.exe
Path : %temp%

Md5Hash :20f898936a0db92c0a8a6167fcb97da0 ( 55000 bytes)
File: addon.dat
Path : %userprofile%\application data

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
9519f99d1dd706d13a3f569123dbd05c ( 24174 bytes)
9c3959b6752a89884b52add2756fe12e ( 22040 bytes)
f41850f9bcada4729004d096b94999a0 ( 22040 bytes)
File: ccc.exe
Path : %windir%

Md5Hash :5ffbc970c695d21095f737a71dbc5b20 ( 112640 bytes)
File: chirstmas-2007.zip
Path : %windir%

Md5Hash :7a8846fbe6d6c943b5b3f2d0e7c1b5d9 ( 56201 bytes)
File: christmasimg2007-12.zip
Path : %windir%

Md5Hash :0e15f0ee6de409fe2922d5614490d3cf ( 56022 bytes)
File: cmsetac.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
3fe589cfd6deab0349a66e31b03daa73 ( 33792 bytes)
430e04ee502f4768048f02fe2bab70c7 ( 33280 bytes)
File: icon242.exe
Path : %windir%

Md5Hash :( bytes)
File: images.zip
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0ef0044886d11684165598e55b93219b ( 626810 bytes)
87b2a9f5653fdc5871a370b1fab82df0 ( 57980 bytes)
95af651031e8f2f3ee440ee3c829205c ( 41084 bytes)
File: java.exe
Path : %windir%

Md5Hash :6ce04067dbd131d598e3b1db6cc14e4c ( 275456 bytes)
File: msmsgrs.exe
Path : %windir%

Md5Hash :8d56547fdfda661f9f307ac3157b6f83 ( 55872 bytes)
File: photos.zip
Path : %windir%

Md5Hash :f8cf08f384549c18c9bd66c676d5b50c ( 151700 bytes)
File: servicesetup.exe
Path : %windir%

Md5Hash :213d136c5067a5cd334a6adaf9efd145 ( 56138 bytes)
File: servidevice.exe
Path : %windir%

Md5Hash :0c222d6191212a52ae70a8283eb7c316 ( 56065 bytes)
File: so.exe
Path : %windir%

Md5Hash :4495f572f5b3f83bff1af22bdfecd0e5 ( 284160 bytes)
File: supersc.exe
Path : %windir%

Md5Hash :edb4ecb2c1cb3f3171c187b0bfd76463 ( 66560 bytes)
File: csrss.exe
Path : %windir%\system

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1c90ec1a2143040628e9c6dfd6152b5b ( 24576 bytes)
680db6ba04af610fb56cfc7361e06916 ( 24583 bytes)
a78706638331938a49dbaa40c0bb81fb ( 24578 bytes)
ea413e8dd78eca1835bb6a52b3f631c2 ( 24576 bytes)
File: lsass.exe
Path : %windir%\system

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
568067c3b221be4fd2f6b14efb3c2119 ( 25088 bytes)
5db839ee8314bc77e5f236b81ecb4d13 ( 25092 bytes)
840f51e431730362acc435b41cd5ba14 ( 25088 bytes)
File: taskmrg.exe
Path : %windir%\system32\amircivil

Md5Hash :ba168acea9a3e1cadf74a99176d4f8a8 ( 94209 bytes)
File: appsrv.exe
Path : %windir%\system32

Md5Hash :1cbd2006dfb486b0fc4788413901b7e5 ( 198658 bytes)
File: cexplorer.exe
Path : %windir%\system32

Md5Hash :6ce04067dbd131d598e3b1db6cc14e4c ( 275456 bytes)
File: driver32.exe
Path : %windir%\system32

Md5Hash :f8615deb60d5321f1b087c9fbcb0c108 ( 113221 bytes)
File: firewallav.dll
Path : %windir%\system32

Md5Hash :5ad47e88035057bf5c6bcc1a3f593dc2 ( 26000 bytes)
File: inst.dat
Path : %windir%\system32

Md5Hash :3e75c0d5d36314ef13cce2fa031a7089 ( bytes)
File: mnsnmsngrs.exe
Path : %windir%\system32

Md5Hash :076a6dcc91deba6b9f0042313f5df454 ( bytes)
File: msnsvc.exe
Path : %windir%\system32

Md5Hash :9b3f0b4e8aee23f899cac47d2579d181 ( 47104 bytes)
File: netmetig.exe
Path : %windir%\system32

Md5Hash :c92b4fa92f3dadf232ddc7088b7e3e5e ( 106920 bytes)
File: ntspool.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1b4e4f8bfcab28f7c8b345e0ff0ed11a ( 32768 bytes)
99ccc801fed98d7272ad2853be481544 ( 32768 bytes)
File: pk.bin
Path : %windir%\system32

Md5Hash :c462a94a25a8c82863681949761dbe0e ( bytes)
File: printers.exe
Path : %windir%\system32

Md5Hash :920740558611fb13186880594016d69f ( 117764 bytes)
File: rafba.dll
Path : %windir%\system32

Md5Hash :568163af07d7b1c74c9c70d18c0c77f6 ( 13312 bytes)
File: sysrcvr2.dll
Path : %windir%\system32

Md5Hash :cb86de672e4a29a8e4d02e80c9fc902a ( 43129 bytes)
File: web.dat
Path : %windir%\system32

Md5Hash :e615aa6e62e567d1aac23e60648e309c ( 48 bytes)
File: windows32.exe
Path : %windir%\system32

Md5Hash :( bytes)
File: winserv.exe
Path : %windir%\system32

Md5Hash :b8420650dd2f14afa4676e48008096d3 ( 94720 bytes)
File: winservicemonitor.exe
Path : %windir%\system32

Md5Hash :6c6b328bdc7110aa97532dff8c548d78 ( 17923 bytes)
File: w32_sysbm.bat
Path : %windir%

Md5Hash :7b6ee75132ea852c51db974fd1bd0734 ( bytes)
File: w32_systm.exe
Path : %windir%

Md5Hash :edb4ecb2c1cb3f3171c187b0bfd76463 ( bytes)
File: install.exe
Path : %windir%\windows

Md5Hash :9f57bbf1b55b0064e3db0374c973c520 ( 242827 bytes)
File: install.sys
Path : %windir%\windows

Md5Hash :1b9023de8018a2795e118dc329b3f499 ( 223232 bytes)
File: winlog32.exe
Path : %windir%

Md5Hash :9874a461c49104663241bf1eb78b484e ( 40962 bytes)
File: wkssvc.exe
Path : %windir%

Md5Hash :9074d3854db5f125932804a3e80b0d5a ( 1753600 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
000d16292b95a4aac222465ab26c2055 ( 102404 bytes)
010c568fb7f0aa07c7bcca4cb1b3f68e ( 177272 bytes)
02263ff356787926de9fb0c695ef63a9 ( bytes)
039d6ac70c5f26e3b442d978afa46581 ( 276480 bytes)
05cfa20049211688d1bcd29c444e85c8 ( 102400 bytes)
076a6dcc91deba6b9f0042313f5df454 ( 102919 bytes)
0ba0fce65abd1701b474357939251a3e ( 172032 bytes)
0badbf9461bae88fa2de69bcebf34333 ( 41986 bytes)
0c0dcd54ba4a14248145ed599296a218 ( 111407 bytes)
0c222d6191212a52ae70a8283eb7c316 ( 56065 bytes)
0d175f162ad39c230cb8682e8fce9a81 ( 26004 bytes)
10844eccd132415465a6629cd5da10aa ( 121018 bytes)
1122faed8b463a2eb8e1c59c51660b95 ( 295005 bytes)
132737492c49f6c38e12ced424a2fe78 ( bytes)
1354d66ceab56499508d156e57c46171 ( 102400 bytes)
188b1704a9cbbb216cd0e5afa0ed2113 ( 111405 bytes)
1a5d136655b56626f539aa5a66c87b94 ( 49311 bytes)
1b4e4f8bfcab28f7c8b345e0ff0ed11a ( 32768 bytes)
1b9df340c1eb264bfc87017ba0e1934e ( 209453 bytes)
1c90ec1a2143040628e9c6dfd6152b5b ( bytes)
1cbd2006dfb486b0fc4788413901b7e5 ( 198658 bytes)
1d37fb2493565c999ce102d0b960ced9 ( 46080 bytes)
1e3230e3972f8ad0ad2c8f5fdbda6652 ( 209539 bytes)
1f0a9e5a912bbbbc398df1a43dd37501 ( 139264 bytes)
20661812f410bc2f4035e0ae2caee896 ( 1173956 bytes)
20832f4bdbf624e61e0966cfa16bb034 ( 57856 bytes)
213d136c5067a5cd334a6adaf9efd145 ( 56138 bytes)
2348844755bfa65f7377aaba249726a9 ( bytes)
257078e229c6cdf966395c55b7478cdd ( bytes)
2982ea3c0ae8017150a7faae32dabb86 ( 231725 bytes)
29e3fefc20bdaa9f3c722eda7c84a5f8 ( 49152 bytes)
2a9e66a277e9aaa555cfdc48329ad0e7 ( bytes)
2c7b3418f3aa7642650f59db34ea3f7e ( 26000 bytes)
2d0e3ba811c6f1149b1fdba13d3c98d8 ( 209455 bytes)
2dc6680bd74d9e3c1c621367865f0980 ( 100864 bytes)
2e0d2a7d933f8cf2e12a7474ea33b34c ( 282624 bytes)
2e81ba7c1d3d71435bd4f59654460bc4 ( 26005 bytes)
2f2d10081e3ac40d29bf3f303f2d70a0 ( 157394 bytes)
2feb849700d4d946f66cbef13be5608f ( 190976 bytes)
302d20da5a4132f2b5d4433cf463c81f ( 111405 bytes)
3087f8d12c74e94f45d28fbc97dab14a ( 111404 bytes)
308e5e64de4b8cbaf1b94f747de7450d ( 41984 bytes)
309271441f0c21679f04b46cfedfef84 ( 136821 bytes)
315119126b20c4c6d8e2d9e6b392d790 ( 45056 bytes)
320554084b59118db39b4ebfb81994fc ( 636518 bytes)
324c36369353f40cd5cfa1d757adaf0b ( 138333 bytes)
32f3843242fd15ab59850fea9ef401fb ( 233261 bytes)
3395ba6df7b9df91791341cfaf9051a0 ( 360965 bytes)
33b21b752153ad587d5f3e4be1b92648 ( 49309 bytes)
33e6d1bb0c93faa1eb1a8947850c2986 ( 115717 bytes)
3615ce621577bc307bb82c0a92c61607 ( 709928 bytes)
36314312108b7476f5bb8087c7372d3e ( bytes)
36602c703dfaea44230b52edba02816b ( bytes)
37004ea108df9e842fac74e703a80597 ( 270340 bytes)
3831e75de306a10edb787d3770108786 ( 68608 bytes)
38b0bd7d3103eba70de12a98eefe85c7 ( 45056 bytes)
3cb081ccaf71df9808d2abeb7faf6809 ( bytes)
3f8432d9352c8ff821155a7721ce016d ( 502784 bytes)
3f86b9b245d5a76cccbdde83a1b6ea4f ( 127738 bytes)
409c92e5ad9779dfdf6ad9a63fb56e3a ( 45058 bytes)
40a7e56c5dfb3e016fc84a11083a964e ( 172032 bytes)
410c3aec45dde928d04f
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : explorer.exe
Path : %windir%\system32

Md5Hash :bc2400edc595b848012199d0041b2bb1 ( 7935 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
install = "%windir%\windows\install.exe"
|__ Value Added :
so = "%windir%\so.exe"
|__ Value Added :
win32usr = "%windir%\system32\cexplorer.exe"
|__ Value Added :
bpk = "%windir%\system32\bpk.exe"
|__ Value Added :
graphic update = "%TEMP%\msnmsgs.exe"
|__ Value Added :
install = "%windir%\windows\install.exe"
|__ Value Added :
MSN = "msnmsgs.exe"
|__ Value Added :
msn = "winlog32.exe"
|__ Value Added :
msnlivemessenger = "msmsgrs.exe"
|__ Value Added :
runtime server subsystem = "%windir%\system\csrss.exe"
|__ Value Added :
ryan1918 = "servidevice.exe"
|__ Value Added :
server runtime server subsystem = "%windir%\system\csrss.exe"
|__ Value Added :
win32serv = "servicesetup.exe"
|__ Value Added :
windows = "%windir%\java.exe"
|__ Value Added :
windows console = "wkssvc.exe"
|__ Value Added :
windows dns service = "%windir%\system\lsass.exe"
|__ Value Added :
windows driver = "%windir%\system32\driver32.exe"
|__ Value Added :
windows event service = "winserv.exe"
|__ Value Added :
windows service monitor. = "%SYSTEMDRIVE%\data\6c6b328bdc7110aa97532dff8c548d78.exe"
Creates the following child process(s) on execution:

%windir%\w32_sysbm.bat

%workingdir%\[random name].exe %workingdir%\c9341c~1.exe

%windir%\supersc.exe %workingdir%\[random name].exe

%windir%\supersc.exe stm

%windir%\explorer.exe

services.exe

Creates the Following MUTEX(s) on user's System:-
tb 1.3b2 imutex supersc.exe
tb 1.3b2 supersc.exe
raspbfile
Copies the Following Files to Given Location :-

Copies :%windir%\w32_systm.exe

To : %workingdir%\c9341c~1.exe

Copies :%workingdir%\[random name].exe

To : %windir%\supersc.exe

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
3. %workingdir% Refers to the current directory in which user is working.
4. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
5. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
6. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
7. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.