Spy-Agent.ch is a Trojan that attempts to steal confidential information from the victim’s machine.

When Spy-Agent.ch is executed the user is presented with a dialogue box that displays the following application error message:

'Microsoft Word cannot start!'

It copies itself as ALMQE.EXE to the %Sysdir% folder

It also drops a DLL component ALMQE.DLL into the same folder. This DLL component is injected in to the same memory space as Explorer.exe.

It is the DLL component that contains the code to capture the information from the infected system.

The following information may be captured:

  • MSN Passwords
  • AIM Passwords
  • RAS Passwords
  • Yahoo Passwords
  • Url History

    A randomly named file is created in the %Sysdir% folder. This file contains the captured information which is also encrypted.

    The following registry key is created and has reference to the random file:

    HKEY_CURRENT_USER\Software\Adobe\IALC "IAM" = %SysDir%\[Random_File]

    More information can be found at this McAfee page.