Full description

Virus:	BDS/Agent.ahj.701
Date discovered:	28/06/2007
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	20.847 Bytes
MD5 checksum:	571f05c12e0d7489cc10fffab06ccfbd
VDF version:	6.39.00.125
IVDF version:	6.39.00.127 - Tuesday, July 10, 2007

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Backdoor.Win32.Agent.ahj
   • F-Secure: Backdoor.Win32.Agent.ahj
   • Grisoft: Agent.BTX

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Registry modification
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\%eight-digit random character string%.EXE

The following files are created:

– %SYSDIR%\%eight-digit random character string%.DLL Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.14420

– %SYSDIR%\delmep.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\
   %eight-digit random character string%]
   • DisplayName="%eight-digit random character string%"
   • ErrorControl=dword:00000001
   • ImagePath="%SYSDIR%\%eight-digit random character string%.EXE -d"
   • ObjectName="LocalSystem"
   • Start=dword:00000002
   • Type=dword:00000010

– [HKCU\SYSTEM\CurrentControlSet\Services\
   %eight-digit random character string%]
   • Description="%eight-digit random character string%"
   • DisplayName="%eight-digit random character string%"
   • ImagePath="%SYSDIR%\%eight-digit random character string%.EXE -d"
   • ObjectName="LocalSystem"

Backdoor Contact server:
The following:
   • http://down.hunll.com/popwin/**********

As a result remote control capability is provided. The servers answer is written to the file: %SYSDIR%\usdsddse.web

Remote control capabilities:
    • Download file
    • Visit a website

Injection – It injects the following file into a process: %eight-digit random character string%.dll

    One of the following processes:
   • explorer.exe
   • winlogon.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ernest Szocs on Monday, July 2, 2007
Description updated by Andrei Gherman on Monday, July 16, 2007

Back . . . .