Virus:Worm/Agent.I
Date discovered:04/08/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:71.168 Bytes
MD5 checksum:8c6b079a6952d4ebb984c27ccda522e0
VDF version:6.35.01.52 - Friday, August 4, 2006
IVDF version:6.35.01.52 - Friday, August 4, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Trojan
   •  Mcafee: Enfal.dr
   •  Kaspersky: Worm.Win32.Agent.i
   •  TrendMicro: WORM_AGENT.DJI
   •  Sophos: Troj/Enfal-B
   •  VirusBuster: Worm.Agent.DUO
   •  Bitdefender: Win32.Worm.Agent.C


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification

 Files The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\ace\temp\KB791024.L0G

%SYSDIR%\NtApi.exe Furthermore it gets executed after it was fully created.
%malware execution directory%\WinTask.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Enfal.E

 Registry The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
   • "ProgramFileID"=dword:00000001



The following registry keys are changed:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   New value:
   • "ShowSuperHidden"=dword:00000000

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   New value:
   • "Shell"=Explorer.exe,%SYSDIR%\%executed file%

 Miscellaneous Mutex:
It creates the following Mutex:
   • Sample07

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Ionut Slaveanu on Friday, September 29, 2006
Description updated by Andrei Ivanes on Tuesday, October 24, 2006

Back . . . .