Virus:Worm/Agent.aii
Date discovered:25/10/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:733.184 Bytes
MD5 checksum:bbe4701b9fbb05416993791b02b98653
VDF version:6.36.00.149
IVDF version:6.36.00.166 - Wednesday, October 25, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: Generic BackDoor.u
   •  Kaspersky: Backdoor.Win32.Agent.aii
   •  Sophos: W32/Mytob-JI
   •  Eset: Win32/Mytob.VE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winemail.exe

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Email"="winemail.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows Email"="winemail.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
   • "TrapPollTimeMilliSecs"=dword:00003a98

– [HKLM\SOFTWARE\Licenses]
   • "{R7C0DB872A3F777C0}"=%hex values%
   • "{K7C0DB872A3F777C0}"=%hex values%
   • "{I7B4ED451FFFFFFFF}"=%hex values%
   • "{07B4ED451FFFFFFFF}"=%hex values%

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}]
   • @="Media Clip"
   • "AppID"="{00022601-0000-0000-C000-000000000046}"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\AuxUserType\2]
   • @="Media Clip"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\DataFormats\
   DefaultSet]
   • @="MPlayer"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\DataFormats\
   GetSet\0]
   • @="Embed Source,1,8,1"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\DataFormats\
   GetSet\1]
   • @="3,1,32,1"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\DataFormats\
   GetSet\2]
   • @="8,1,1,1"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\DefaultIcon]
   • @="mplay32.exe,1"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\InprocHandler32]
   • @="ole32.dll"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\Insertable]
   • @=""

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\LocalServer]
   • @="mplay32.exe"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\LocalServer32]
   • @="mplay32.exe"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\MiscStatus]
   • @="0"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\ProgID]
   • @="MPlayer"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\verb\0]
   • @="&Play,0,3"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\verb\1]
   • @="&Edit,0,2"

– [HKCR\CLSID\{7B4ED451-7B4E-D451-7B4E-D4517B4ED451}\verb\2]
   • @="&Open,0,2"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Account Alert
   • %random words%



Body:
– Contains HTML code.
– Contains a link to other malware.
–  In some cases it may be empty.
–  In some cases it may contain random characters.

 
The body of the email is one of the following:

   • Dear Valued Member,
     According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended for security reasons.
     http://www.%sender's domain name and top level domain from email address%/confirm.php?account=%receiver's email address%
     After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
     Thanks for your attention to this request. We apologize for any inconvenience.
     Sincerely, %sender's domain name from email address% Department



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • txt; htm; sht; jsp; cgi; xml; php; asp; dbx; tbb; adb; html; wab


Address generation for FROM field:
To generate addresses it uses the following string:
   • abuse

It combines the result with domains that were found in files, which were previously searched for addresses.


Address generation for TO field:
To generate addresses it uses the following string:
   • %random character string%

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • mcafee; symantec; sophos; bitdefender; avg; kaspersky; avast; nod32;
      vba32; antivir; avira; cat-quickheal; clamav; drweb; f-prot; etrust;
      fortinet; ikarus; norman; panda; thehacker; ewido; spm; fcnz; www;
      secur; abuse


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mail.
   • smtp.
   • mx1.
   • mxs.
   • mail1.
   • relay.
   • ns.
   • gate.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: mail.yfcdavao.**********
Port: 3132
Channel: #email
Nickname: email%six-digit random character string%
Password: r00ted



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Information about the network
    • Size of memory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Send emails
    • Updates itself

 Miscellaneous Mutex:
It creates the following Mutex:
   • gfbgslkvtgf

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Wednesday, October 25, 2006
Description updated by Monica Ghitun on Wednesday, November 22, 2006

Back . . . .