Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Drat-130
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:167.936 Bytes
MD5 checksum:6855f9e5ce14f098b387c8c318281aa5

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Agent.lx
   •  TrendMicro: TSPY_AGENT.CKU
   •  VirusBuster: TrojanSpy.Agent.DMA
   •  Bitdefender: Trojan.Spy.Agent.LX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files The following files are created:

%SYSDIR%\webshell.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Drat-130

%SYSDIR%\winlog.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.LX.2

%TEMPDIR%\2952.doc Furthermore it gets executed after it was fully created.

 Registry The value of the following registry key is removed:



The following registry keys are added:

– HKCR\CLSID\{%CLSID%}
– HKCR\CLSID\{%CLSID%}\InProcServer32
   • "ThreadingModel"="Apartment"
   • "(Default)"="%SYSDIR%\webshell.dll"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
   • "InstallerParameters"=%hex values%

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad
   • "WebShell"="{%CLSID%}"

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Marius T. Nicolae on Thursday, August 24, 2006
Description updated by Marius T. Nicolae on Thursday, September 7, 2006

Back . . . .