Threat behavior
Typically, PWS:Win32/Agent.BB is distributed in an e-mail claiming to be an order for merchandise. Recipients click-through a link included in the e-mail in order to contest the unexpected order. The link points to a malicious Web site that uses a security exploit to download and install the dropper.
The dropper, usually vm#.exe, where # repreents a single digit version number, drops a copy of itself to %Profile% as xx_<4 random chars>.exe and modifies the registry to load this file when Windows is started:
Adds value: xx_Shell
With data: %Profile%\xx_<4 random chars>.exe
To Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The trojan injects codes into various APIs and uses the injected code to redirect certain API calls. It then attempts to connect to a specified IP address, downloads a configuration file that contains further instruction and uploads data it has collected from the infected systems. Data may include usernames and passwords intercepted from URLs or (possibly) cached on the system.
The dropper may also download additional malware from the remote site. This file is dropped as "xx_<random 4 chars>.exe" under directory %Profile%. The registry is also modified to launch this file when Windows is started, as follows:
The file work.exe drops itself as "xx_<random 4 chars>.exe" under directory %Profile% Modifies the following registry entry:
Set "xx_Shell" = "%Profile%\xx_<random 4 chars>.exe"
In Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Set "xx_id" = "3002557744"
In Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
PWS:Win32/Agent.BB then injects its code into the explorer.exe and iexplore.exe processes, opens a backdoor on TCP port 6265, and listens for commands from remote attackers. The trojan also sends an HTTP GET request to a specified IP address, downloads an encrypted configuration file, and uploads information to the same remote IP.
Prevention