Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Agent.100872
Date discovered:21/12/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:100.872 Bytes
MD5 checksum:f5b24ee909954ffccdcd2eeb8a4cd0de
VDF version:7.10.07.66
IVDF version:7.11.00.138 - Tuesday, December 21, 2010

 General Methods of propagation:
    Autorun feature
    Messenger
   • Peer to Peer


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Grisoft: BackDoor.Ircbot.NPB
   •  Eset: Win32/AutoRun.IRCBot.FC
     DrWeb: BackDoor.IRC.Sdbot.4867


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Third party control
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\wni.exe



The following files are created:

%WINDIR%\wni.exe-up.txt
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Windows Services"="wni.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • Windows Services"="wni.exe"



The following registry key is added:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\sample.exe"="%malware execution directory\\sample.exe:*:Enabled:Windows Services"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:


It searches for the following directories:
   • %PROGRAM FILES%\kazaa\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\winmx\shared\

   If successful, the following files are created:
   • Windows 2003 Advanced Server KeyGen.exe; UT 2003 KeyGen.exe; Half-Life
      2 Downloader.exe; Password Cracker.exe; FTP Cracker.exe; Brutus FTP
      Cracker.exe; Hotmail Hacker.exe; Hotmail Cracker.exe; Norton
      Anti-Virus 2005 Enterprise Crack.exe; DCOM Exploit.exe; NetBIOS
      Hacker.exe; NetBIOS Cracker.exe; Windows Password Cracker.exe; L0pht
      4.0 Windows Password Cracker.exe; sdbot with NetBIOS Spread.exe; Sub7
      2.3 Private.exe; Microsoft Visual C++ KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual Studio KeyGen.exe; MSN Password
      Cracker.exe; AOL Instant Messenger (AIM) Hacker.exe; ICQ Hacker.exe;
      AOL Password Cracker.exe; Keylogger.exe; Website Hacker.exe; IP
      Nuker.exe; Counter-Strike KeyGen.exe; DivX 5.0 Pro KeyGen.exe

   These files are copies of the malware itself.

 Messenger It is spreading via Messenger. The characteristics are described below:

 AIM Messenger
Windows Live Messenger
 Yahoo Messenger


To:
All entries in the contact list.


Message
The sent message looks like one of the following:

   • "regarder cette image"
     "Schauen Sie dieses Bild an"
     "mire este retrato"
     "Look at this picture"
     "guardare quest'immagine"
     "Seen this? :D"


Propagation via URL
It sends the following link:
   • http://www.mess**********es.net/yah/yahoo-image293.jpg

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: botn**********.cc
Port: 6667
Channel: #infected
Nickname: [%operating system%|%random numbers%]
Password: dkruqou



 This malware has the ability to collect and send information such as:
    • Information about the network
    • Username
    • Information about the Windows operating system


 Furthermore it has the ability to perform actions such as:
     connect to IRC server
     Launch DDoS ICMP flood
     disconnect from IRC server
    • Download file
    • Join IRC channel
    • Leave IRC channel
    • Perform DDoS attack
     Start spreading routine
    • Terminate malware
    • Terminate process
     Updates itself
     Visit a website

 Process termination Processes with one of the following strings are terminated:
   • dumpcap
   • SandboxStarter
   • tcpview
   • procmon
   • filemon


 Injection It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • fi3+th_ew

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Wednesday, March 16, 2011
Description updated by Andrei Ivanes on Friday, March 18, 2011

Back . . . .