Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Agent.BE
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:731.938 Bytes
MD5 checksum:9b9182f439b5ad9c6d9d49bf62bb8c18
VDF version:7.11.53.216

 General Method of propagation:
   • Local network


Aliases:
   •  TrendMicro: TROJ_MULTIDRP.EC
   •  Bitdefender: Trojan.Multidr.EI


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\ssdpcl.dll
%SYSDIR%\XNET.EXE Furthermore it gets executed after it was fully created.
%SYSDIR%\ssdpcl.exe Furthermore it gets executed after it was fully created.
%SYSDIR%\install.bat Furthermore it gets executed after it was fully created. This file contains collected information about the system.

 Registry The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\CurrentControlSet\Services\SSDPCL]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\ssdpcl.exe"
   • "DisplayName"="SSDP Controller"
   • "ObjectName"="LocalSystem"
   • "Description"="Provides Control for the SSDP Discovery Service."

[HKLM\SYSTEM\CurrentControlSet\Services\SSDPCL\Security]
   • "Security"=%hex values%

[HKLM\SYSTEM\CurrentControlSet\Services\SSDPCL\Enum]
   • "0"="Root\\LEGACY_SSDPCL\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry keys are added:

[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPCL]
   • "NextInstance"=dword:00000001

[HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPCL\0000]
   • "Service"="SSDPCL"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="SSDP Controller"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPCL\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="SSDPCL"

[HKCR\ABManager.AddressBooksManager]
   • @="AddressBooksManager Class"

[HKCR\ABManager.AddressBooksManager\CLSID]
   • @="{F55B4E8D-ECFF-11D3-BCE1-0004AC961EA6}"

[HKCR\ABManager.AddressBooksManager\CurVer]
   • @="ABManager.AddressBooksManager.1"

 Backdoor The following port is opened:

ssdpcl.exe on a random TCP port in order to provide backdoor capabilities.

Remote control capabilities:
     Delete file
     Download file
     Execute file
     Kill process
     Perform port redirection
     Restart system
     Shut down system
     Terminate process
     Upload file
     Visit a website

Description inserted by Catalin Jora on Monday, September 5, 2005
Description updated by Catalin Jora on Friday, September 9, 2005

Back . . . .