Virus:TR/Agent.VG.8
Date discovered:06/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:18.432 Bytes
MD5 checksum:b00760a27528fe13c8750497f3be2b91
VDF version:6.36.00.80
IVDF version:6.36.00.96 - Thursday, October 12, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: BackDoor-CVT
   •  Kaspersky: Trojan.Win32.Agent.aae
   •  F-Secure: Trojan.Win32.Agent.aae
   •  VirusBuster: Trojan.Agent.EPL
   •  Bitdefender: Trojan.Agent.YN


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\win%random character string%32.dll



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\wineak32.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to executes the following file:

– Filename:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe
using the following command line arguments: -embedding

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   win%random character string%32]
   • "Asynchronous"=dword:00000001
   • "DllName"="win%random character string%32.dll"
   • "Impersonate"=dword:00000000
   • "Startup"="EvtStartup"
   • "Shutdown"="EvtShutdown"

– [HKLM\SOFTWARE\Microsoft\MSSMGR]
   • "Data"=dword:01c2a630
   • "LSTV"=%hex values%
   • "Brnd"=dword:0000030b
   • "Rid"=dword:000000cd
   • "LID"=dword:0000003a
   • "SCLIST"=%hex values%
   • "SSLIST"=%hex values%

 Backdoor Contact server:
All of the following:
   • here4search.biz/img/**********
   • smart-security.biz/img/**********
   • l.mezzicodec.net/a412/**********
   • dr.mcboo.com/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status
    • Malware uptime


Remote control capabilities:
    • Download file
    • Execute file

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Monday, November 13, 2006
Description updated by Adriana Popa on Monday, November 13, 2006

Back . . . .