Virus:TR/Agent.121
Date discovered:17/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:24.577 Bytes
MD5 checksum:27cdc487080B61e035fffb686fd882ae
VDF version:6.34.00.61

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: PWSteal.Reoxtan
   •  Mcafee: PWS-Reox
   •  TrendMicro: TSPY_REOX.F
   •  Bitdefender: Trojan.Spy.Reox.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\service\explorer.exe



The following file is created:

%SYSDIR%\service\dllp.txt This is a non malicious text file with the following content:
   • %stolen information%




It tries to download a file:

– The location is the following:
   • http://ccunion.org/**********
It is saved on the local hard drive under: %SYSDIR%\compress.exe

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • 1 = %SYSDIR%\service\explorer.exe



The following registry keys are changed:

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\]
   New value:
   • DoNotAllowExceptions = 0
   • EnableFirewall = 0
   • DisableNotifications = 1

– [HKLM\SOFTWARE\Microsoft\Security Center\]
   New value:
   • AntiVirusDisableNotify = 1

 Backdoor The following port is opened:

%SYSDIR%\service\explorer.exe on TCP port 47800 in order to provide a proxy server.


Contact server:
All of the following:
   • http://ccunion.org/**********
   • http://ccunion.org/**********
   • http://ccunion.org/**********
   • http://ccunion.org/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Computer name
    • Created logfiles
    • IP address
    • Information about the network
    • Opened port
    • Information about running processes
    • Collected information described in stealing section


Remote control capabilities:
    • Download file
    • Execute file
    • Start keylog

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function

– Passwords from the following programs:
   • Outlook
   • Far
   • The Bat
   • WinCmd
   • Edialer

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Andrei Gherman on Friday, April 7, 2006
Description updated by Andrei Gherman on Friday, April 7, 2006

Back . . . .