Virus:TR/Agent.bag
Date discovered:30/06/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:21.504 Bytes
MD5 checksum:897b5eafd36fd52801645d35541f1b27
VDF version:6.35.00.98
IVDF version:6.35.00.124 - Thursday, July 6, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Zlob
   •  Kaspersky: Trojan-Downloader.Win32.Small.cy
   •  TrendMicro: TROJ_SMALL.BYY
   •  Bitdefender: Trojan.Downloader.Small.DUA


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\ab03f65e.exe
   • %HOME%\Local Settings\Application Data\ab03f65e.exe




It tries to download a file:

– The location is the following:
   • http://www.blueskyltd.biz/**********
It is saved on the local hard drive under: %malware execution directory%\loaded.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "ab03f65e.exe"="%SYSDIR%\ab03f65e.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "ab03f65e.exe"="%HOME%\Local Settings\Application Data\ab03f65e.exe"

 Backdoor Contact server:
The following:
   • http://207.226.177.108/BN/**********

As a result it may send some information.

Sends information about:
    • Current malware status

 Miscellaneous Mutex:
It creates the following Mutex:
   • be75e0da

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack

Description inserted by Ionut Slaveanu on Tuesday, September 5, 2006
Description updated by Ionut Slaveanu on Tuesday, September 5, 2006

Back . . . .