Virus:TR/Agent.AKB.2
Date discovered:18/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:646.419 Bytes
MD5 checksum:1c3569b0b1a18f7d627e7a75d83e473b
VDF version:6.36.00.127
IVDF version:6.36.00.144 - Friday, October 20, 2006

 General Alias:
   •  Kaspersky: Backdoor.Win32.VB.awr


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Blocks access to certain websites
   • Disable security applications
   • Drops a file
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\svchost.exe



It deletes the initially executed copy of itself.



The following files are created:

– Non malicious file:
   • %WINDIR%\MSWINSCK.OCX

%WINDIR%\offlog.txt This file contains collected keystrokes.

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Windows Update"="%WINDIR%\scvhost.exe"

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
   • "Windows Update"="%WINDIR%\scvhost.exe"

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
   • "Windows Update"="%WINDIR%\scvhost.exe"

–  HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {C010EB0F-A43D-A989-FF0A-C6CF6D0D5EB3}
   • "StubPath"="%WINDIR%\scvhost.exe"



The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • dl1.avgate.net
   • dl2.avgate.net
   • dl3.avgate.net
   • dl4.avgate.net
   • dl5.avgate.net
   • dl6.avgate.net
   • dl7.avgate.net
   • dl8.avgate.net
   • dl9.avgate.net


 Process termination  List of services that are disabled:
   • NOD32krn
   • navapsvc
   • AntiVirService
   • antivir

 Backdoor Contact server:
The following:
   • exclusive72.no-ip.**********:1338

As a result it may send information and remote control could be provided.

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– It captures:
    • Keystrokes

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Monday, October 30, 2006
Description updated by Bogdan Iliuta on Wednesday, November 15, 2006

Back . . . .