Threat Descriptions

Agent.AGW

Classification

Category :

Trojan

Type :

Backdoor

Platform :

W32

Aliases :

Agent.AGW

Summary

Agent.AGW is a backdoor program that allows contol over a victim's computers remotely by sending specific commands via IRC channels. This backdoor can also steal data, spread to a local network, and to computers vulnerable to exploits.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Agent.AGW is a backdoor program that allows control over a victim's computers remotely by sending specific commands via IRC channels. This backdoor can also steal data, spread to a local network, and to computers vulnerable to exploits.

Upon execution, it drops the following files:

  • %WinDir%\lsass.exe- a copy of itself.
  • %SysDir%\rdriv.sys- a trojan rootkit used to hide its presence on the machine. This is now detected as Rootkit.Win32.Agent.p.

Note: %WinDir%" represents the Windows root directory and "%SysDir%" represents the Windows System directory.

It installs itself as a service by creating the following registry keys:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

It installs itself as a service by creating the following registry keys:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]

It creates the following registry entries to lower the system's security settings:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]UpdatesDisableNotify = "dword:00000000"AntiVirusDisableNotify = "dword:00000000"FirewallDisableNotify = "dword:0000000"AntiVirusOverride = "dword:00000000"FirewallOverride = "dword:00000000"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]DoNotAllowXPSP2 = dword:00000001
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]EnableFirewall = "dword:00000000"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]EnableFirewall = "dword:00000000"

It creates the following registry entries to disable Administrative Shares in NT4.0 Server and Workstation:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]AutoShareWks = "dword:00000000"AutoShareServer = "dword:00000000"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]AutoShareWks = "dword:00000000"AutoShareServer = "dword:00000000"

Agent.AGW also modifies the following registry entries to disable and restrict anonymous access and DCOM network binding:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]EnableDCOM = "N"

Note: the default value is EnableDCOM = "Y".

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]restrictanonymous = "dword:00000001"

Note: The default value for restrictanonymous is user dependent.

Agent.AGW also disables automatic update of Service Pack 2 in Windows XP by changing the following registry entry:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]DoNotAllowXPSP2 = "1"

Note: The default value for DoNotAllowXPSP2 = "0".

It modifies the following regsitry entry to shorten the waiting time for services to stop after service notification of system Shutdown:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]WaitToKillServiceTimeout= "7000"

Note: This is equivalent to 7 seconds. The default value is WaitToKillServiceTimeout= "20000", which is equivalent to 20 seconds.

It also disables the Messenger, Remote Registry, Security Center, and Telnet services respectively by modifiying the following regsitry entries:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]Start = "dword:00000004"

Note: Default value is Start = "dword:00000002".

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]Start = "dword:00000004"

Note: Default value for Start = "dword:00000002".

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\wscsvc]Start = "dword:00000004"

Note: Default value is Start = "dword:00000002".

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]Start = "dword:00000004"

Note: Default value is Start = "dword:00000003".

Agent.AGW attempts to connect to the following IRC server:

  • bla.girlsontheblock.com

It attempts to join the following IRC channels:

  • #na-e
  • #na-s

Once successfully connected, a hacker can send commands to the bots on the IRC channel to control the infected computer. It has the ability to do the following:

  • Display System Information
  • Download and Upload a File
  • List current processes
  • Scan for Files
  • Execute a file
  • Perform denial of service attack
  • Steal user information and log keyboard and mouse events
  • Send copies using different IM applications
  • Visit websites
  • Enumerate remote shares
  • Scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

  • Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (MS05-039) port 445
  • Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) port 139

It uses the following user accounts:

  • administrator
  • admin

- to connect to the target machine's hidden shares:

  • Admin$
  • ipc$

- by using the following list of weak passwords:

  • 12345
  • 123456
  • 654321
  • admin
  • asdfgh
  • server

It also tries to steal usernames and passwords from the following known applications:

  • MSN Hotmail
  • Outlook Express
  • PayPal