Virus:TR/Agent.PK.12
Date discovered:28/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:152.576 Bytes
MD5 checksum:07c5676f2679af4a221b943e012daa2a
VDF version:6.35.01.17 - Friday, July 28, 2006
IVDF version:6.35.01.17 - Friday, July 28, 2006

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Registry modification

 Files It tries to download a file:

– The location is the following:
   • 208.66.195.**********:2234
It is saved on the local hard drive under: %TEMPDIR%\%several random digits%\2234.exe Furthermore this file gets executed after it was fully downloaded.

 Registry The value of the following registry key is removed:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "DCOM Server"



It registers a browser helper object (BHO) by adding the following key:

– HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2234}\InProcServer32
   • "ThreadingModel"="Apartment"
   • "(Default)"="%malware execution directory%\%executed file%"



The following registry keys are added:

– HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2234}
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad
   • "DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   SharedTaskScheduler
   • "{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"="DCOM Server 2234"

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • www.trendmicro.com; rads.mcafee.com; customer.symantec.com;
      liveupdate.symantec.com; us.mcafee.com; updates.symantec.com;
      www.nai.com; secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
      www.my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
      networkassociates.com; www.networkassociates.com; avp.com;
      www.kaspersky.com; www.avp.com; downloads4.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads1.kaspersky-labs.com; www.f-secure.com; viruslist.com;
      www.viruslist.com; liveupdate.symantecliveupdate.com; www.mcafee.com;
      sophos.com; www.sophos.com; securityresponse.symantec.com;
      www.symantec.com




The modified host file will look like this:


 Backdoor Contact server:
The following:
   • 208.66.195.**********:2234

As a result it may send some information. The servers answer is written to the file: %APPDATA%\Microsoft\2234.dat


Sends information about:
    • Information about the Windows operating system

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • aol.com
   • verizon.net
   • ameritech.net
   • cox.net
   • rr.com
   • adelphia.net
   • comcast.net
   • optonline.net


Mutex:
It creates the following Mutex:
   • hs5pdllv42234

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Marius T. Nicolae on Tuesday, August 8, 2006
Description updated by Marius T. Nicolae on Thursday, August 17, 2006

Back . . . .