Virus:TR/Agent.baf.1
Date discovered:12/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:79.360 Bytes
MD5 checksum:cd66ab672f46da1a09c0e7516b53f191
VDF version:6.35.00.154
IVDF version:6.35.00.193 - Thursday, July 20, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: CoreFlood.dr
   •  Kaspersky: Backdoor.Win32.Afcore.cr
   •  TrendMicro: BKDR_AFCORE.AD
   •  F-Secure: Backdoor.Win32.Afcore.cr
   •  Eset: Win32/Afcore


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information
   • Third party control

 Files The following files are created:

%TEMPDIR%\%random character string%.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.baf.3

%SYSDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.baf.3

%SYSDIR%\%random character string%.dat
%SYSDIR%\%random character string%.dat
%SYSDIR%\%random character string%.dat
%SYSDIR%\%random character string%.dat
%SYSDIR%\%random character string%.dat

 Registry  The following registry keys including all values and subkeys are removed:
   • HKLM\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InprocServer32
   • HKLM\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}
   • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files



The following registry keys are added:

– HKLM\SOFTWARE\Classes\CLSID\{%generated CLSID%}
   • "(default)"="%random character string%"

– HKLM\SOFTWARE\Classes\CLSID\{%generated CLSID%}\
   InprocServer32
   • "(default)"="%SYSDIR%\%random character string%.dll"
   • "ThreadingModel"="Apartment"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellIconOverlayIdentifiers\iepeets
   • "(default)"="{%generated CLSID%}"

 Backdoor Contact server:
The following:
   • http://joy4host.com**********

As a result it may send information and remote control could be provided. This is done via the HTTP POST method using a CGI script.


Sends information about:
    • Current malware status
    • Malware uptime
    • Information about the Windows operating system

 Miscellaneous Mutex:
It creates the following Mutexes:
   • %system-dependent%
   • %system-dependent%

Description inserted by Teodor Onisor on Tuesday, September 5, 2006
Description updated by Teodor Onisor on Wednesday, September 13, 2006

Back . . . .