ThreatExpert Report: TrojanSpy.ProAgent.I, Trojan.Progent, TSPY

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 January 2008, 05:37:14
Processing time: 3 min 33 sec
Submitted sample:

File MD5: 0x6FE101EF6208A97692AF2F73EF556316
Filesize: 261,745 bytes
Alias:

TrojanSpy.ProAgent.I [PCTools]
Trojan.Progent [Symantec]
TSPY_PROAGENT.K [Trend Micro]

Summary of the findings:

What's been found	Severity Level
Communication with a remote SMTP server and sending out email.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.ProRat	Backdoor.ProRat is a remote administrative trojan. It allows an attacker to take full control of a compromised computer. It also logs all keystrokes to a text file which can be accessed by the attacker. It also hides itself from task manager and process monitors.
Trojan-Spy.ProAgent!sd5	Trojan-Spy.ProAgent!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.
Application.MailPass_Viewer	MailPass Viewer is a email password recovery application from NirSoft. It enables the user to view all email accounts passwords stored in email applications. We recommend that MailPass Viewer be removed unless installed for a purpose.
Application.MessenPass	MessenPass is used to retrieve password from various instant messenging application. It has been used by attackers with malicious intent. We recommend that Messenpass be removed unless installed for a purpose.
Trojan.ProAgent	ProAgent is a keylogger software from SIS-Team. Using the main ProAgent program various installers can be created according to the requirements of the intruder. Installers created can be separate executable files or they can be associated with other files such as jpg, exe or dll etc. Once installed it can run in stealth mode and capture all keystrokes including usernames and their passwords, applications used, emails, chat sessions, instant messages and websites visited. All the information captured is stored by this software in log files and it has the ability to send these log files to a specified email address. Removal of this software is advisable if it is not installed for a purpose.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A spyware program that represents security risk for a local system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\htmpl.htm	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E	(not available)
2	%Temp%\[filename of the sample #1]	15,360 bytes	MD5: 0x2E86D292BD26DC9F06D91E35D4E8B50E	(not available)
3	%Windir%\kurlmon.dll	20,480 bytes	MD5: 0x244A85EDDFB46B31D4C6762A1D851C0E	Backdoor.ProRat [PCTools] Backdoor.Prorat [Symantec] BackDoor-AVW [McAfee] TROJ_AVW.N [Trend Micro]
4	%Windir%\qservice.exe [file and pathname of the sample #1]	261,745 bytes	MD5: 0x6FE101EF6208A97692AF2F73EF556316	TrojanSpy.ProAgent.I [PCTools] Trojan.Progent [Symantec] TSPY_PROAGENT.K [Trend Micro]
5	%Windir%\services.dll	235,626 bytes	MD5: 0xC54AE820D196E375C114AE79F445AB11	Infostealer [Symantec] PWS-Progent.dll [McAfee]
6	%System%\drivers\KeenSense.sys %System%\drivers\ksdevice.sys	16 bytes	MD5: 0xEAE84FD8E79DF2E1815CF255F0870B18	(not available)
7	%System%\HookApi.dll	6,656 bytes	MD5: 0x80B41F0FBA6E91608DE1764D275A5D58	Trojan-Spy.ProAgent!sd5 [PCTools] Trojan.Progent [Symantec] Trojan-Spy.Win32.ProAgent.21 [Kaspersky Lab] PWS-Progent.dll [McAfee] TROJ_PROGENT.V [Trend Micro]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	%Temp%\[filename of the sample #1]	32,768 bytes
agnt_pnc.exe	%System%\agnt_pnc.exe	164,352 bytes
agnt_mps.exe	%System%\agnt_mps.exe	78,848 bytes
agnt_msn.exe	%System%\agnt_msn.exe	94,208 bytes
agnt_fps.exe	%System%\agnt_fps.exe	58,368 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	65,536 bytes
qservice.exe	%Windir%\qservice.exe	65,536 bytes

Attention! The following process was intentionally hidden from the user:

Process Name	Main Module Size
IEXPLORE.EXE	102,400 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler
HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Total Commander
HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Windows Commander
HKEY_LOCAL_MACHINE\SOFTWARE\mirabilis
HKEY_LOCAL_MACHINE\SOFTWARE\mirabilis\icq
HKEY_LOCAL_MACHINE\SOFTWARE\mirabilis\icq\DefaultPrefs
HKEY_LOCAL_MACHINE\SOFTWARE\Miranda
HKEY_CURRENT_USER\Software\Far
HKEY_CURRENT_USER\Software\Far\Plugins
HKEY_CURRENT_USER\Software\Far\Plugins\FTP
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Ghisler
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
HKEY_CURRENT_USER\Software\mirabilis
HKEY_CURRENT_USER\Software\mirabilis\icq
HKEY_CURRENT_USER\Software\mirabilis\icq\DefaultPrefs
HKEY_CURRENT_USER\Software\mirabilis\icq\NewOwners
HKEY_CURRENT_USER\Software\NirSoft
HKEY_CURRENT_USER\Software\NirSoft\MailPassView
HKEY_CURRENT_USER\Software\NirSoft\MessenPass
HKEY_CURRENT_USER\Software\RIT
HKEY_CURRENT_USER\Software\RIT\The Bat!

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows]

pVer = 0x000000D2
qservices = "qservices"
pPid = 0x000004A8

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

qservices = "%Windir%\qservice.exe"

so that qservice.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Turkey

The following Host Names were requested from a host database:

www.aol.com
gsmtp185.google.com

Generated SMTP traffic

Email Sender:

ProAgent v2.1.0 <ProAgent@Yahoo.com>

Email Recipient:

samsungold2@gmail.com

Email Subject:

COMPUTERNAME is Online

Email Body:

######################################################### ProAgent : [COMPUTERNAME is Online] IP Address(es) : 127.0.0.1 Agent Version :v2.1.0 Computer Name :COMPUTERNAME Date :1/7/2008 Time :3:15:05 PM ######################################################### ######################################################### PROTECTED STORAGE ######################################################### ================================================== Resource Name: pop.domain.com Resource Type: Outlook Express User Name : Username Password : ================================================== ================================================== Resource Name: IdentitiesPass Resource Type: Outlook Express Identity User Name : Main Identity Password : ================================================== ######################################################### MAIL PASSWORDS ######################################################### ================================================== Name : UserName Application : Email : username@domain.com Server : pop.domain.com Type : User : Username Password : ================================================== ######################################################### INSTANT MESSENGER PASSWORDS ######################################################### Not Recorded! ######################################################### CUTE FTP PASSWORDS ######################################################### Not Recorded! ######################################################### FLASH FXP PASSWORDS ######################################################### Not Recorded! ######################################################### WS_FTP PASSWORDS ######################################################### Not Recorded! ######################################################### FILEZILLA PASSWORDS ######################################################### Not Recorded! ######################################################### PEER FTP PASSWORDS ######################################################### Not Recorded! ######################################################### EXEEM PASSWORDS ######################################################### Not Recorded! ######################################################### SENDLINK PASSWORDS ######################################################### Not Recorded! ######################################################### CHAT ANYWHERE PASSWORDS ######################################################### Not Recorded! ######################################################### FTPNOW PASSWORDS ######################################################### Not Recorded! ######################################################### DELUXE FTP PASSWORDS ######################################################### Not Recorded! ######################################################### DELUXE FTP PRO PASSWORDS ######################################################### Not Recorded! ######################################################### MORPHEUS CHAT PASSWORDS ######################################################### Not Recorded! ######################################################### BITCOMET PASSWORDS ######################################################### Not Recorded! ######################################################### FIREFLY PASSWORDS ######################################################### Not Recorded! ######################################################### CRYPTED DATA ######################################################### W1BdDQpWOiAxLjANClM6IE1BSUwgRlJPTTogY29iYW4ya0BtYWlsLnJ1DQpEOiA5NDdENzBD RQ0KUkNQVCBUTzogY29iYW4ya0BtYWlsLnJ1DQoNClsyMDAzXQ0KUzogNDAgMUEgQ0QgMDAN CltNXQ0KWzk5Yl0NCltUQiFdDQpbVF0NCltGQVJdDQpbV1RDXQ0KW1JBU10NClsmXQ0K ######################################################### CD-KEYS ######################################################### ============================== Windows Serial : K8QV4-X3PXT-J8X6C-V7GK7-HYPMM =============================== ######################################################### PC INFORMATIONS ######################################################### Computer Name : COMPUTERNAME User Name : UserName Windows Ver : Windows XP 5.1.2600 Service Pack 2 Windows Language : English (United States) Windows Path : C:\WINDOWS System Path : C:\WINDOWS\system32 Temp Path : C:\DOCUME~1\UserName\LOCALS~1\Temp\ ProductId : Workgroup : NO Data : 1/7/2008 Time : 3:15:06 PM Pc is open for : 0 Hour(s) 2 Minute(s) Resolution : 640x480 I.Explorer Ver : 6.0.2900.2180 I.E. Start Page : about:blank Printer : NO Processor Name : Intel(R) Pentium(R) 4 CPU 3.20GHz Vendor Identifier: GenuineIntel Identifier : x86 Family 15 Model 4 Stepping 8 CPU Speed : 3191 Mhz Hard Drive(s) List: A:\ [ REMOVABLE DISK ] C:\ [ HARDDISK DRIVE (FIXED) ] X:\ [ REMOTE (NETWORK) DISK ] Sound Card(s) Information: Display Adapter(s) Information: VMware SVGA II NetMeeting driver RDPDD Chained DD ######################################################### ADDRESS BOOK RECORDS ######################################################### [user's email address] [user's email address] [user's email address] [user's email address] [user's email address] 0 ######################################################### URL HISTORY ######################################################### http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ######################################################### PROCESSES INFORMATION ######################################################### [System Process] System smss.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe atsagent.exe alg.exe explorer.exe msmsgs.exe dllhost.exe acrotray.exe mdm.exe sdnsmain.exe IEXPLORE.EXE IEXPLORE.EXE ######################################################### KEYLOGGER RECORDS ######################################################### .

For example, the generated email message may look similar to the one shown below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.