Alias:
Type:Worm 
Size:97.280 Bytes 
Origin: 
Date:06-09-2005 
Damage: 
VDF Version:6.31.0.18 
Danger:Low 
Distribution:Low 

General DescriptionAffected Platforms
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms- opens TCP port 6666

Technical DetailsIf the trojan "TR/Agent.P.2" is executed, it creates the following files:
\%Sysdir%\k.exe
\%Sysdir%\fkd8df6s.lnk (505 Bytes)
\%Sysdir%\lizenz.txt (6.727 Bytes)
\%Windir%\witetest
\%Sysdir%\pdata (335 Bytes)
\%Sysdir%\lddata (4 Bytes)
\%Sysdir%\ddata (57.921 Bytes)
\%Favorites%\-ebay-.url
\%Favorites%\-aktuelle-news-.url

It also operates the following modifications in the Windows Registry:
- New Entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
"System"="C:\\WINDOWS\\System\\k.exe"

[HKEY_CURRENT_USER\Software\System]
"SystemFlag"=dword:00000001
"SystemId"="<%randomdigits%>"
"SystemTimeout"=dword:0000000a
"SystemTimer"=dword:0000000a
"SystemHost"="ÓH2ö§a3-ü?‹ßc3P"
"SystemVersion"=dword:00000071
"SystemStamp"="<%randomdigits%>"
"SystemFlagTimeout"=dword:00000001
"SystemFavoriteVersion"=dword:0000007a
"SystemHostlistVersion"=dword:00000083

[HKEY_LOCAL_MACHINE\SOFTWARE\System]
"System"=dword:<%randomnumber%>

- Changed Entries:
[HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main]
"Search Page"="http://ie.search.msn.com"
"Use Custom Search URL"=dword:00000001
"Default_Search_URL"="http://ie.search.msn.com"
"Search Bar"="http://ie.search.msn.com"

The virus "TR/Agent.P.2" displays a window with a License Agreement (EULA). If this is not validated, the programs stops its execution:
http://www.antivir.de/uploads/RTEmagicC_AgentP2_01.jpg.jpg

The trojan generates a mutex named "UNIQUENAMEHERE".

It calls an URL and receives delievered data, which then creates the following files:
pdata
ddata
lddata

TR/Agent.P.2 opens TCP Port 6666 and generates a ICMP request to all IP adresses im the range 213.203.209.118 - 213.203.209.126.

It also creates a WOHIS query to the following servers and asks for the domain names in the file "ddata ":

"whois.internic.com"
"whois.adamsnames.tc"
"whois.nic.be"
"whois.nic-se.se"
"whois.nic.cc"
"whois.nic.nu"
"whois.nic.dk"
"whois.nic.nl"
"whois.partnergate.de"
"whois.nic.it"
"whois.nic.li"
"whois.nic.ch"
"whois.nic.at"
"whois.crsnic.net"
"whois.publicinterestregistry.net"
"whois.nic.uk"
"whois.afilias.info"
"whois.nic.biz"
"whois.neulevel.biz"
"whois1.verisign-grs.net"
"whois.dns.pl"
"whois.nic.us"
"whois.ripe.net"
"whois.nic.ag"
"whois.cnnic.net.cn"
"whois.denic.de"

The file "fkd8df6s.lnk" is a link, which the trojan calls with a parameter:
"C:\WINDOWS\system\k.exe /uninstall"


The trojan removes all the created files and copies itself in the Windows directory with the name "removeme.exe".
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .