Virus:TR/Agent.DL.2
Date discovered:24/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:36.969 Bytes
MD5 checksum:13f81b6b0d9cd62837cfebc22777cf63
VDF version:6.31.01.176

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Agent.gf
   •  TrendMicro: TROJ_AGENT.XZ
   •  Sophos: Troj/Dermon-D
   •  Panda: Trj/Agent.AII
   •  VirusBuster: Trojan.Agent.PK


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winserver.exe



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\winserv.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\winserv32.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\winserv.ini Contains parameters used by the malware.
%SYSDIR%\winserv.dat This file contains collected keystrokes.



It tries to download a file:

– The location is the following:
   • http://pleskin.**********.ua/part3/check.dat

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "win32 internet server"="%SYSDIR%\winserver.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "win32 internet server"="%SYSDIR%\winserver.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "win32 internet server"="%SYSDIR%\winserver.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Classes\https\shell\open\command]
   Old value:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome
   New value:
   • @="%PROGRAM FILES%\Internet Explorer\Iexplore.exe"

– [HKLM\SOFTWARE\Classes\http\shell\open\command]
   Old value:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome
   New value:
   • @="%PROGRAM FILES%\Internet Explorer\Iexplore.exe"

 Process termination List of processes that are terminated:
   • zonealarm.exe
   • zonalm2601.exe
   • outpost.exe


 Backdoor The following ports are opened:

%SYSDIR%\lsass.exe on a random TCP port in order to provide backdoor capabilities.
%SYSDIR%\lsass.exe on a random TCP port in order to provide backdoor capabilities.


Contact server:
The following:
   • http://pleskin.**********.ua/

As a result it may send some information. This is done via the HTTP GET request on a PHP script.
This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Created logfiles
    • Environment variables
    • IP address
    • Information about the network
    • Opened port
    • Information about the Windows operating system

 Stealing – A logging routine is started after one of the following websites are visited:
   • https://www.e-gold.com/acct/balance.asp
   • https://www.e-gold.com/acct/accountinfo.asp
   • https://www.e-gold.com/acct/acct.asp

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • "e-gold"
   • "e-bullion"
   • "intgold"
   • "1MDC"
   • "Pecunix"
   • "GoldMoney"
   • "Virtualgold"
   • "NetPay"
   • "paymer"
   • "e-gold"
   • "e-bullion"
   • "intgold"
   • "1MDC"
   • "Pecunix"
   • "GoldMoney"
   • "Virtualgold"
   • "NetPay"
   • "paymer"

– It captures:
    • Keystrokes
    • Window information

 Injection – It injects itself as a thread into a process.

    Process name:
   • lsass.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • IS_ALIVE

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files


Method used:
    • Hidden from Windows API

 File details Programming language:
 The malware program was written in Borland C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Oliver Auerbach on Wednesday, August 24, 2005
Description updated by Oliver Auerbach on Friday, August 26, 2005

Back . . . .