Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Agent.58368.3
Date discovered:30/08/2012
Type:Backdoor Server
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:58.368 Bytes
MD5 checksum:3CCFB3CA8C0AAAA4E93856BC79570106
VDF version:7.11.41.90 - Thursday, August 30, 2012
IVDF version:7.11.41.90 - Thursday, August 30, 2012

 General Method of propagation:
   • Email


Alias:
   •  Microsoft: Win32/Gamarue.I


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Third party control
   • Lowers security settings
   • Registry modification

 Files It drops copies of itself using a filename from lists
– To: C:\Documents and Settings\All Users Using one of the following names:
   • svchost.exe

– To: %ALLUSERSPROFILE%\Local Settings\Temp Using one of the following names:
   • %random character string%.bat
   • %random character string%.pif
   • %random character string%.scr
   • %random character string%.com


 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched"="%ALLUSERSPROFILE%\svchost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.pif"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.bat"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.scr"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.com"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is the following:
   • notification+aaic-mm-nir_@facebookmail.com


Subject:
The following:
   • Your friend wants to share photos and updates with you



Body:
– Contains HTML code.
The body of the email is the following:

   • One of your friends wants to share photos and updates with you.
     
     One of your friends has invited you to Facebook. After you sign up, you'll be able to stay connected with friends by sharing photos and videos, posting status updates, sending messages and more.


Attachment:
The filename of the attachment is:
   • Your_Friend_New_photos-updates_id%number%.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Backdoor The following port is opened:

– %ALLUSERSPROFILE%\svchost.exe on TCP port 8000 in order to provide a remote Shell.


Contact server:
The following:
   • http://stripe**********image.php

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status
    • Username

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe


 File details Programming language:
The malware program was written in MS Visual C++.


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Thursday, August 30, 2012
Description updated by Andrei Gherman on Thursday, August 30, 2012

Back . . . .