TR/Agent.P.2 - Trojan

Vea también

Descripción completa

Alias:
Type:	Worm
Size:	97.280 Bytes
Origin:
Date:	06-09-2005
Damage:
VDF Version:	6.31.0.18
Danger:	Low
Distribution:	Low

General DescriptionAffected Platforms
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms- opens TCP port 6666

Technical DetailsIf the trojan "TR/Agent.P.2" is executed, it creates the following files:
\%Sysdir%\k.exe
\%Sysdir%\fkd8df6s.lnk (505 Bytes)
\%Sysdir%\lizenz.txt (6.727 Bytes)
\%Windir%\witetest
\%Sysdir%\pdata (335 Bytes)
\%Sysdir%\lddata (4 Bytes)
\%Sysdir%\ddata (57.921 Bytes)
\%Favorites%\-ebay-.url
\%Favorites%\-aktuelle-news-.url

It also operates the following modifications in the Windows Registry:
- New Entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
"System"="C:\\WINDOWS\\System\\k.exe"

[HKEY_CURRENT_USER\Software\System]
"SystemFlag"=dword:00000001
"SystemId"="<%randomdigits%>"
"SystemTimeout"=dword:0000000a
"SystemTimer"=dword:0000000a
"SystemHost"="ÓH2ö§a3-ü?ßc3P"
"SystemVersion"=dword:00000071
"SystemStamp"="<%randomdigits%>"
"SystemFlagTimeout"=dword:00000001
"SystemFavoriteVersion"=dword:0000007a
"SystemHostlistVersion"=dword:00000083

[HKEY_LOCAL_MACHINE\SOFTWARE\System]
"System"=dword:<%randomnumber%>

- Changed Entries:
[HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main]
"Search Page"="http://ie.search.msn.com"
"Use Custom Search URL"=dword:00000001
"Default_Search_URL"="http://ie.search.msn.com"
"Search Bar"="http://ie.search.msn.com"

The virus "TR/Agent.P.2" displays a window with a License Agreement (EULA). If this is not validated, the programs stops its execution:
http://www.antivir.de/uploads/RTEmagicC_AgentP2_01.jpg.jpg

The trojan generates a mutex named "UNIQUENAMEHERE".

It calls an URL and receives delievered data, which then creates the following files:
pdata
ddata
lddata

TR/Agent.P.2 opens TCP Port 6666 and generates a ICMP request to all IP adresses im the range 213.203.209.118 - 213.203.209.126.

It also creates a WOHIS query to the following servers and asks for the domain names in the file "ddata ":

"whois.internic.com"
"whois.adamsnames.tc"
"whois.nic.be"
"whois.nic-se.se"
"whois.nic.cc"
"whois.nic.nu"
"whois.nic.dk"
"whois.nic.nl"
"whois.partnergate.de"
"whois.nic.it"
"whois.nic.li"
"whois.nic.ch"
"whois.nic.at"
"whois.crsnic.net"
"whois.publicinterestregistry.net"
"whois.nic.uk"
"whois.afilias.info"
"whois.nic.biz"
"whois.neulevel.biz"
"whois1.verisign-grs.net"
"whois.dns.pl"
"whois.nic.us"
"whois.ripe.net"
"whois.nic.ag"
"whois.cnnic.net.cn"
"whois.denic.de"

The file "fkd8df6s.lnk" is a link, which the trojan calls with a parameter:
"C:\WINDOWS\system\k.exe /uninstall"

The trojan removes all the created files and copies itself in the Windows directory with the name "removeme.exe".

Para una breve descripción vea el resumen aquí.

Descripción insertada por Crony Walker el Tue, 15 Jun 2004 14:00 (GMT+1)

» About Malware
» About Phishing
» Virus "In the Wild"

« volver