The following has been derived from information provided by McAfee. We are sending this alert due to numerous clients reporting multiple instances and variants.


Virus Characteristics

Spy-Agent.bw!rootkit is a Windows rootkit which has been spammed to numerous email accounts. It attempts to steal sensitive data from the system and transmit it to a Russian domain. It also has the ability to hide malicious files and monitor the system behaviors.

It will arrive as an email with the following attachment:
UPS_INVOICE_%.exe, where % is a random number.

This rootkit will attempt to drop and hide the following files:
%System%\ntos.exe
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll

It will attempt to inject itself into the following processes:
winlogon.exe
services.exe
explorer.exe

It will attempt to install numerous API hooks to hide files and monitor system behaviors.

It will create the following registry keys to launch itself at Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
"C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"


Payload

Creates files in the Windows system folders.
Modifies registry to launch itself at Windows startup.
Potentially downloads files from a Russian domain and transmits sensitive data to that domain.
Hides itself using a rootkit.


Preventative Measures

Where possible, block all incoming messages that contain executable (EXE) attachments and extend this blocking rule to the contents of ZIP attachments.


Fixes Available

McAfee:
Minimum DAT: 5345
EXTRA.DAT required: Spy-Agent.bw
Release Date: July 23, 2008
Minimum Engine: 5.100

NOTE: Because this Trojan injects itself into several running system processes, the system may automatically reboot if the ntos.exe file is deleted by the EXTRA.DAT.

Symantec:
No information at time of alert.

Trend:
No information at time of alert.