Virus:TR/Agent.bah
Date discovered:12/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:2.836.992 Bytes
MD5 checksum:c9990e25bf40674a2fefe09fbb931b5a
VDF version:6.35.00.154
IVDF version:6.35.00.193 - Thursday, July 20, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Pakes
   •  TrendMicro: BKDR_HUPIGON.AYE
   •  F-Secure: Trojan.Win32.Pakes
   •  Eset: Win32/Hupigon.NAB
   •  Bitdefender: Backdoor.Agent.QF


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Common Files\System\Ole DB\MSMDG08O.com



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\drivers\oreans32.sys
%PROGRAM FILES%\Common Files\System\Ole DB\MSMDG08O.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Pakes.A.687

%PROGRAM FILES%\Common Files\System\Ole DB\MSMDG08Okey.DLL Further investigation pointed out that this file is malware, too. Detected as: TR/Pakes.A.688

%PROGRAM FILES%\Common Files\System\Ole DB\MSMDG08Okey.log This file contains collected keystrokes.
%WINDIR%\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\oreans32]
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000001
   • "ImagePath"=\??\%SYSDIR%\drivers\oreans32.sys
   • "DisplayName"="oreans32"

– [HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum]
   • "0"="Root\\LEGACY_OREANS32\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

 Backdoor Contact server:
The following:
   • nightscorpio.kmip.**********:8989

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

Sends information about:
    • Computer name
    • Internet connection type
    • IP address
    • Information about the Windows operating system


Remote control capabilities:
    • Launch DDoS SYN flood
    • Disable network shares
    • Enable network shares
    • Start keylog

 Injection –  It injects the following file into a process: MSMDG08O.dll

    Process name:
   • iexplore.exe



–  It injects the following file into a process: MSMDG08Okey.DLL

    Process name:
   • %all running processes%


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Monday, September 4, 2006
Description updated by Adriana Popa on Tuesday, September 12, 2006

Back . . . .