Need to fix your PC?
Hire an Expert
Virus:BDS/IRCBot.AQ
Date discovered:30/11/2011
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:422912 Bytes
MD5 checksum:f4888616ec030455b529304453e190a6
VDF version:7.11.18.139 - Wednesday, November 30, 2011
IVDF version:7.11.18.139 - Wednesday, November 30, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.MSIL.Agent.fof
   •  Bitdefender: Trojan.Generic.5717619
   •  Microsoft: VirTool:MSIL/Injector.P
   •  Grisoft: PSW.Generic8.CBQC
   •  Eset: probably a variant of MSIL/Injector.CF trojan
   •  GData: Trojan.Generic.5717619
   •  Norman: Trojan W32/Suspicious_Gen2.LKWMX


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to modify system settings that allow or augment potential malware behaviour.
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %TEMPDIR%\%12 digit random character string%.exe
   • %APPDATA%\%12 digit random character string%.exe
   • %WINDIR%\install\winup32.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\%computer name%.txt
   • %TEMPDIR%\%computer name%7
   • %TEMPDIR%\%computer name%8



The following files are created:

– Non malicious file:
   • %APPDATA%\%computer name%log.dat

%TEMPDIR%\delete.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Audio HD Driver"="%TEMPDIR%\\%12 digit random character string%.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Audio HD Driver"="%TEMPDIR%\\%12 digit random character string%.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HKLM"="c:\windows\\install\\winup32.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "HKCU"="c:\windows\\install\\winup32.exe"



The following registry keys are added in order to load the services after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aifc\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aiff\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .au\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .bmp\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .css\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dib\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .doc\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dvr-ms\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .gif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .ico\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .IVF\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jfif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpe\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpeg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m3u\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mid\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .midi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2v\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp3\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpa\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpeg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpv2\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .png\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rtf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .snd\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tiff\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .txt\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wav\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wax\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmv\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wpl\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wvx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xsl\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   • (null)



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {04P34X25-047M-8IOY-5N0F-0UD5J4UX071D}]
   • "StubPath"="c:\windows\\install\\winup32.exe Restart"

– [HKCU\Software\pwNd b1tch]
   • "FirstExecution"="29/02/2012 -- 10:15"
   • "NewIdentification"="pwNd b1tch"
   • (null)

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {04P34X25-047M-8IOY-5N0F-0UD5J4UX071D}]
   • "StubPath"="c:\windows\\install\\winup32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .eml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mht\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mhtml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .nws\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .URL\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wdp\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmp\OpenWithProgids]
   • (null)



The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=dword:00000001
   New value:
   • "Hidden"=dword:00000002

 Backdoor Contact server:
The following:
   • **********.zapto.org



Sends information about:
    • Cached passwords
    • Collected information described in stealing section

 Miscellaneous Event handler:
It creates the following Event handlers:
   • ReadProcessMemory
   • WriteProcessMemory
   • SetWindowsHook
   • CreateRemoteThread
   • CopyFile
   • CreateProcess
   • CreateFile
   • GetWindowsDirectory
   • GetSystemDirectory
   • LsaRetrievePrivateData
   • RasDefaultCredentials
   • LookupAccountName
   • CredEnumerate
   • CryptUnprotectData
   • PStoreCreateInstance


String:
Furthermore it contains the following strings:
   • pstorec.dll
   • WindowsLive:name
   • rasphone.pbk

Description inserted by Wensin Lee on Monday, April 2, 2012
Description updated by Wensin Lee on Monday, April 2, 2012

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.