Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Agent.blcr
Date discovered:07/07/2011
Type:Backdoor Server
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:185.440 Bytes
MD5 checksum:38754b086fa45391ddecaa8e7d9a1c0d
VDF version:7.11.11.27 - Thursday, July 7, 2011
IVDF version:7.11.11.27 - Thursday, July 7, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Agent.blcr
   •  Eset: Win32/Adware.GabPath.CD


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Downloads malicious files
   • Registry modification

 Files  It deletes the following file:
   • %TEMPDIR%\MNUpdater.prod.v5706.10072011.exe.5ba56657ad8aa8507be65fffc1395acf



The following file is created:

%TEMPDIR%\Update.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: ADWARE/Agent.Gaba.gew




It tries to download some files:

The location is the following:
   • http://216.**********.153/gpupd.php?VER=**********&mac=DEFAULT


The location is the following:
   • http://clients.mi**********ral.com/mnup.php?HWID=**********
Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

The location is the following:
   • http://clients.mi**********ral.com/**********MNUpdater.prod.v5**********072011.exe.5ba5**********5acf
It is saved on the local hard drive under: %TEMPDIR%\MNUpdater.prod.v5706.10072011.exe.5ba56657ad8aa8507be65fffc1395acf Further investigation pointed out that this file is malware, too. Detected as: ADWARE/Agent.Gaba.gew

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "updchecker"="%malware execution directory%\\%malware exe%.exe"

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Jason Soo on Monday, July 11, 2011
Description updated by Jason Soo on Monday, July 11, 2011

Back . . . .