Spy

MSIL/Spy.Agent.BH removal guide

Malware Removal

The MSIL/Spy.Agent.BH is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What MSIL/Spy.Agent.BH virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • Enumerates the modules from a process (may be used to locate base addresses in process injection)
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Anomalous .NET characteristics
  • Steals private information from local Internet browsers
  • Collects and encrypts information about the computer likely to send to C2 server
  • Harvests cookies for information gathering
  • Harvests credentials from local FTP client softwares
  • Harvests information related to installed instant messenger clients

How to determine MSIL/Spy.Agent.BH?



File Info:

name: 49CB2D8BE729C2BB4282.mlw
path: /opt/CAPEv2/storage/binaries/6835c3965eb91d8a8edc912f7dd976cef4023cb1fae3e6b21dd1f6a01a6dbdaa
crc32: 5DA3328F
md5: 49cb2d8be729c2bb4282894c5ff7223c
sha1: 0876caea9a0b8d1a0367ffee70a5b63844557171
sha256: 6835c3965eb91d8a8edc912f7dd976cef4023cb1fae3e6b21dd1f6a01a6dbdaa
sha512: e984307a43c3b12353c2082a286e6d07fcd79011f88212791705a9c654ceb1637eda8315ec686a1c5f0c1365c1d5613f51a8c7b5671f7711daaaeb545aad1af2
ssdeep: 768:WNYjeskH7WkWHGUheEYKuSr/6EHjnrwpLelNjNsrJ/Dr0MYAoY3hrdHc:WNYSskHKVHJrlHTUpqvSLUY3A
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T18DB3C90A87558E9AC460EBFB1FFB279A2FF2D7F46533E49DC4AA65C90BA1357C040190
sha3_384: e0b844ba6bc5727d55b019c0ba18016f3b2a6a488d4cc6c661ef0a5a8340a76965985c617937b704ef2cbbf29f66c601
ep_bytes: ff250020400000000000000000000000
timestamp: 2011-06-13 11:22:08


Version Info:

Translation: 0x0000 0x04b0
FileDescription: microsoft
FileVersion: 0.0.0.0
InternalName: msn.exe
LegalCopyright:  
OriginalFilename: msn.exe
ProductVersion: 0.0.0.0
Assembly Version: 0.0.0.0

MSIL/Spy.Agent.BH also known as:

BkavW32.AIDetectNet.01
LionicTrojan.Win32.Generic.4!c
MicroWorld-eScanGen:Heur.MSIL.Androm.3
ALYacGen:Heur.MSIL.Androm.3
CylanceUnsafe
SangforSuspicious.Win32.Save.a
K7AntiVirusRiskware ( 0015e4f01 )
AlibabaTrojan:MSIL/Generic.4705cb1f
K7GWRiskware ( 0015e4f01 )
Cybereasonmalicious.be729c
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32MSIL/Spy.Agent.BH
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Agent-853974
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Heur.MSIL.Androm.3
NANO-AntivirusTrojan.Win32.Win32.dkfsxw
AvastWin32:Malware-gen
TencentWin32.Trojan.Generic.Pftr
Ad-AwareGen:Heur.MSIL.Androm.3
SophosMal/Generic-S + Mal/Generic-L
ComodoMalware@#1mtuugd4ks1x
ZillyaTrojan.Agent.Win32.302918
TrendMicroTROJ_GEN.R002C0PA722
McAfee-GW-EditionBehavesLike.Win32.Generic.ch
FireEyeGeneric.mg.49cb2d8be729c2bb
EmsisoftGen:Heur.MSIL.Androm.3 (B)
SentinelOneStatic AI – Malicious PE
GDataGen:Heur.MSIL.Androm.3
JiangminTrojan.Generic.dwoec
WebrootW32.Backdoor.Refroso
AviraTR/Dropper.MSIL.Gen
MAXmalware (ai score=100)
KingsoftWin32.PSWTroj.Agent.h.(kcloud)
ArcabitTrojan.MSIL.Androm.3
ZoneAlarmHEUR:Trojan.Win32.Generic
MicrosoftBackdoor:Win32/Bladabindi!ml
CynetMalicious (score: 99)
AhnLab-V3Trojan/Win32.Zapchast.C2425138
Acronissuspicious
McAfeeGenericRXHN-PI!49CB2D8BE729
VBA32TrojanPSW.MSIL.Agent
TrendMicro-HouseCallTROJ_GEN.R002C0PA722
RisingMalware.Obfus/MSIL@AI.96 (RDM.MSIL:Y8g7TsPZGsg5gx/2aYMtYA)
YandexTrojan.PWS.Agent!AYAG2Hz9C2g
IkarusTrojan-Dropper.MSIL
MaxSecureTrojan.Malware.5191012.susgen
FortinetW32/Malware_fam.NB
BitDefenderThetaGen:NN.ZemsilF.34638.gm0@aiT70@n
AVGWin32:Malware-gen
PandaGeneric Malware
CrowdStrikewin/malicious_confidence_100% (W)

How to remove MSIL/Spy.Agent.BH?

MSIL/Spy.Agent.BH removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment