BDS/Agent.nin - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Agent.nin
Date discovered:	13/11/2007
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	53248 Bytes
MD5 checksum:	0a1c9f1cfacb21ebe0ca2e5a4e017f2b
VDF version:	7.00.00.208
IVDF version:	7.00.00.216 - Wed, 14 Nov 2007 15:33 (GMT+1)

General Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

Files It drops a copy of itself using a filename from a list:
– To: %SYSDIR\ Using one of the following names:
   • winhelp%random character string%%number%.exe
   • wincheck%random character string%%number%.exe
   • system%random character string%%number%.exe
   • lsas%random character string%%number%.exe
   • svctoc%random character string%%number%.exe

It deletes the initially executed copy of itself.

Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Winupdates"="%SYSDIR%\%executed file%.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\%executed file%.exe"="%SYSDIR%\%executed
      file%.exe:*:Enabled:\%executed file%"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows Updates\RM]

The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows Updates]
   New value:
   • "Name"="%executed file%"
     "CurrentVersion"=dword:00000023
     "Last Update"="%current date% %current time%"
     "Next Update"="%current date% %current time%"
     "Id"="%hex number%"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   New value:
   • "FirewallOverride"=dword:00000001
     "AntiVirusOverride"=dword:00000001

Backdoor The following port is opened:

– %SYSDIR%\%executed file%.exe on a random TCP port in order to provide backdoor capabilities.

Contact server:
All of the following:
   • http://87.249.38.126/asg234/**********
   • http://87.249.38.126/asg234/update/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.

Sends information about:
    • Current malware status
    • Opened port
    • Information about the Windows operating system

Remote control capabilities:
    • Download file

Miscellaneous Checks for an internet connection by contacting the following web site:
• http://www.windowsupdate.microsoft.com

Mutex:
It creates the following Mutex:
• 68E1D888-19B3-4F40-8941-95EC38E4AF69

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Monica Ghitun on Thu, 15 Nov 2007 16:48 (GMT+1)
Description updated by Andrei Gherman on Wed, 28 Nov 2007 13:10 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back