Alias:
Type:Worm 
Size:97.280 Bytes 
Origin: 
Date:06-09-2005 
Damage: 
VDF Version:6.31.0.18 
Danger:Low 
Distribution:Low 

General DescriptionAffected Platforms
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms- opens TCP port 6666

Technical DetailsIf the trojan "TR/Agent.P.2" is executed, it creates the following files:
\%Sysdir%\k.exe
\%Sysdir%\fkd8df6s.lnk (505 Bytes)
\%Sysdir%\lizenz.txt (6.727 Bytes)
\%Windir%\witetest
\%Sysdir%\pdata (335 Bytes)
\%Sysdir%\lddata (4 Bytes)
\%Sysdir%\ddata (57.921 Bytes)
\%Favorites%\-ebay-.url
\%Favorites%\-aktuelle-news-.url

It also operates the following modifications in the Windows Registry:
- New Entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
"System"="C:\\WINDOWS\\System\\k.exe"

[HKEY_CURRENT_USER\Software\System]
"SystemFlag"=dword:00000001
"SystemId"="<%randomdigits%>"
"SystemTimeout"=dword:0000000a
"SystemTimer"=dword:0000000a
"SystemHost"="ÓH2ö§a3-ü?‹ßc3P"
"SystemVersion"=dword:00000071
"SystemStamp"="<%randomdigits%>"
"SystemFlagTimeout"=dword:00000001
"SystemFavoriteVersion"=dword:0000007a
"SystemHostlistVersion"=dword:00000083

[HKEY_LOCAL_MACHINE\SOFTWARE\System]
"System"=dword:<%randomnumber%>

- Changed Entries:
[HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main]
"Search Page"="http://ie.search.msn.com"
"Use Custom Search URL"=dword:00000001
"Default_Search_URL"="http://ie.search.msn.com"
"Search Bar"="http://ie.search.msn.com"

The virus "TR/Agent.P.2" displays a window with a License Agreement (EULA). If this is not validated, the programs stops its execution:
http://www.antivir.de/uploads/RTEmagicC_AgentP2_01.jpg.jpg

The trojan generates a mutex named "UNIQUENAMEHERE".

It calls an URL and receives delievered data, which then creates the following files:
pdata
ddata
lddata

TR/Agent.P.2 opens TCP Port 6666 and generates a ICMP request to all IP adresses im the range 213.203.209.118 - 213.203.209.126.

It also creates a WOHIS query to the following servers and asks for the domain names in the file "ddata ":

"whois.internic.com"
"whois.adamsnames.tc"
"whois.nic.be"
"whois.nic-se.se"
"whois.nic.cc"
"whois.nic.nu"
"whois.nic.dk"
"whois.nic.nl"
"whois.partnergate.de"
"whois.nic.it"
"whois.nic.li"
"whois.nic.ch"
"whois.nic.at"
"whois.crsnic.net"
"whois.publicinterestregistry.net"
"whois.nic.uk"
"whois.afilias.info"
"whois.nic.biz"
"whois.neulevel.biz"
"whois1.verisign-grs.net"
"whois.dns.pl"
"whois.nic.us"
"whois.ripe.net"
"whois.nic.ag"
"whois.cnnic.net.cn"
"whois.denic.de"

The file "fkd8df6s.lnk" is a link, which the trojan calls with a parameter:
"C:\WINDOWS\system\k.exe /uninstall"


The trojan removes all the created files and copies itself in the Windows directory with the name "removeme.exe".
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .