English
Deutsch
Francais
Español
Italian
Home
Virus Info
BDS/Agent.adp
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
BDS/Agent.adp - Backdoor Server
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
BDS/Agent.adp
Date discovered:
13/07/2006
Type:
Backdoor Server
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
219.136 Bytes
MD5 checksum:
79aef21823c08561a08660df43d5f079
VDF version:
6.35.00.158
- Thu, 13 Jul 2006 07:42 (GMT+1)
IVDF version:
6.35.00.197
General
Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Backdoor.Win32.Agent.adp
• TrendMicro: WORM_SPYBOT.GE
• VirusBuster: Worm.RBot.FKC
• Bitdefender: Backdoor.Agent.SP
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Makes use of software vulnerability
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\
%seven-digit random character string%
.exe
It deletes the initially executed copy of itself.
The following file is created:
–
%SYSDIR%
\SVKP.sys
Registry
The following registry keys are added in order to run the processes after reboot:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Msnupgred"="
%seven-digit random character string%
.exe"
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• "Msnupgred"="
%seven-digit random character string%
.exe"
The following registry key is added:
– HKCU\Software\Microsoft\OLE
• "Msnupgred"="
%seven-digit random character string%
.exe"
Network Infection
Exploit:
It makes use of the following Exploit:
–
MS04-007
(ASN.1 Vulnerability)
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: un.ms6ol.**********
Port: 7000
Channel: #WE
Nickname: USA|
%number%
Password: we...
– This malware has the ability to collect and send information such as:
• Cached passwords
• Capture screen
• Capture shot from webcam
• CPU speed
• Free disk space
• Free memory
• Information about the network
• Information about running processes
• Size of memory
• Information about the Windows operating system
– Furthermore it has the ability to perform actions such as:
• Disable DCOM
• Disable network shares
• Download file
• Enable DCOM
• Execute file
• Join IRC channel
• Leave IRC channel
• Open remote shell
• Perform network scan
• Perform port redirection
• Restart system
• Send emails
• Terminate process
• Updates itself
• Upload file
• Visit a website
Stealing
It tries to steal the following information:
– The following CD keys:
• Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
(Secret Weapons of WWII); Battlefield Vietnam; Black and White;
Command & Conquer Generals; Command and Conquer: Generals (Zero Hour);
Command and Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
Counter-Strike (Retail); Chrome; FIFA 2002; FIFA 2003; Freedom Force;
Global Operations; Gunman Chronicles; Half-Life; Hidden & Dangerous 2;
IGI 2: Covert Strike; Industry Giant 2; James Bond 007: Nightfire;
Legends of Might and Magic; Medal of Honor: Allied Assault; Medal of
Honor: Allied Assault: Breakthrough; Medal of Honor: Allied Assault:
Spearhead; Nascar Racing 2002; Nascar Racing 2003; Need For Speed Hot
Pursuit 2; Need For Speed: Underground; Neverwinter Nights;
Neverwinter Nights (Hordes of the Underdark); Neverwinter Nights
(Shadows of Undrentide); NHL 2003; NHL 2002; NOX; Rainbow Six III
RavenShield; Shogun: Total War: Warlord Edition; Soldier of Fortune II
- Double Helix; Soldiers Of Anarchy; The Gladiators; Unreal Tournament
2003; Unreal Tournament 2004
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Ionut Slaveanu on Thu, 07 Sep 2006 10:37 (GMT+1)
Description updated by Ionut Slaveanu on Fri, 22 Sep 2006 16:46 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
W32/Elkern.C
Worm/Mytob.AD
Worm/Kidala.G
Worm/Mytob.AT
TR/Drop.MuJoin.AF
PHISH/CrediCard
TR/Autorun.afj
BDS/Agent.qfh.1
TR/Dldr.FraudLoa.NC
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info BDS/Agent.adp
Print this page
.gif)
