Virus:BDS/Agent.FK.2
Date discovered:12/09/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:66.560 Bytes
MD5 checksum:8b1989f14257e9a05044d34d94d1af47
VDF version:6.35.01.215
IVDF version:6.35.01.219 - Wednesday, September 13, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Agent.fk
   •  TrendMicro: BKDR_AGENT.ETZ
   •  F-Secure: Backdoor.Win32.Agent.fk
   •  Grisoft: BackDoor.Agent.CJW
   •  Eset: Win32/Agent.NBG


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Records keystrokes
   • Steals information
   • Third party control

 Files The following files are created:

%SYSDIR%\w32setng.dat
%SYSDIR%\Netx1.dat This file contains collected keystrokes.
%SYSDIR%\Netx2.dat This file contains collected keystrokes.
%SYSDIR%\Netxk.datQ This file contains collected keystrokes.



It tries to download a file:

– The location is the following:
   • www.geocities.com/sbstnrother/**********
It is saved on the local hard drive under: %temporary internet files%\ngaq.zip At the time of writing this file was not online for further investigation.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: paln.fw.**********
Port: 4668
Channel: #net2
Nickname: USA|%operating system%|%four-digit random character string%

Server: srother.kwik.**********
Port: 4669
Channel: #net1
Nickname: USA|%operating system%|%four-digit random character string%

Server: quant.mooo.**********
Port: 4669
Channel: #net3
Nickname: USA|%operating system%|%four-digit random character string%



– This malware has the ability to collect and send information such as:
    • Information about running processes
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Kill process
    • Start keylog
    • Terminate process

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • www.cnn.com

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PECompact2

Description inserted by Adriana Popa on Friday, October 13, 2006
Description updated by Adriana Popa on Friday, October 13, 2006

Back . . . .