F-Secure
Tools
Agent.AGW
Summary
Agent.AGW is a backdoor program that allows contol over a victim's computers remotely by sending specific commands via IRC channels. This backdoor can also steal data, spread to a local network, and to computers vulnerable to exploits.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Agent.AGW is a backdoor program that allows control over a victim's computers remotely by sending specific commands via IRC channels. This backdoor can also steal data, spread to a local network, and to computers vulnerable to exploits.
Upon execution, it drops the following files:
Note: %WinDir%" represents the Windows root directory and "%SysDir%" represents the Windows System directory.
It installs itself as a service by creating the following registry keys:
It installs itself as a service by creating the following registry keys:
It creates the following registry entries to lower the system's security settings:
It creates the following registry entries to disable Administrative Shares in NT4.0 Server and Workstation:
Agent.AGW also modifies the following registry entries to disable and restrict anonymous access and DCOM network binding:
Note: the default value is EnableDCOM = "Y".
Note: The default value for restrictanonymous is user dependent.
Agent.AGW also disables automatic update of Service Pack 2 in Windows XP by changing the following registry entry:
Note: The default value for DoNotAllowXPSP2 = "0".
It modifies the following regsitry entry to shorten the waiting time for services to stop after service notification of system Shutdown:
Note: This is equivalent to 7 seconds. The default value is WaitToKillServiceTimeout= "20000", which is equivalent to 20 seconds.
It also disables the Messenger, Remote Registry, Security Center, and Telnet services respectively by modifiying the following regsitry entries:
Note: Default value is Start = "dword:00000002".
Note: Default value for Start = "dword:00000002".
Note: Default value is Start = "dword:00000002".
Note: Default value is Start = "dword:00000003".
Agent.AGW attempts to connect to the following IRC server:
It attempts to join the following IRC channels:
Once successfully connected, a hacker can send commands to the bots on the IRC channel to control the infected computer. It has the ability to do the following:
When spreading, the bot can exploit the following vulnerabilities:
It uses the following user accounts:
- to connect to the target machine's hidden shares:
- by using the following list of weak passwords:
It also tries to steal usernames and passwords from the following known applications:
Upon execution, it drops the following files:
- %WinDir%\lsass.exe
- a copy of itself. - %SysDir%\rdriv.sys
- a trojan rootkit used to hide its presence on the machine. This is now detected as Rootkit.Win32.Agent.p.
Note: %WinDir%" represents the Windows root directory and "%SysDir%" represents the Windows System directory.
It installs itself as a service by creating the following registry keys:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]
It installs itself as a service by creating the following registry keys:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
It creates the following registry entries to lower the system's security settings:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
UpdatesDisableNotify = "dword:00000000"
AntiVirusDisableNotify = "dword:00000000"
FirewallDisableNotify = "dword:0000000"
AntiVirusOverride = "dword:00000000"
FirewallOverride = "dword:00000000" - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
DoNotAllowXPSP2 = dword:00000001 - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
EnableFirewall = "dword:00000000" - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
EnableFirewall = "dword:00000000"
It creates the following registry entries to disable Administrative Shares in NT4.0 Server and Workstation:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
AutoShareWks = "dword:00000000"
AutoShareServer = "dword:00000000" - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
AutoShareWks = "dword:00000000"
AutoShareServer = "dword:00000000"
Agent.AGW also modifies the following registry entries to disable and restrict anonymous access and DCOM network binding:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
EnableDCOM = "N"
Note: the default value is EnableDCOM = "Y".
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
restrictanonymous = "dword:00000001"
Note: The default value for restrictanonymous is user dependent.
Agent.AGW also disables automatic update of Service Pack 2 in Windows XP by changing the following registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
DoNotAllowXPSP2 = "1"
Note: The default value for DoNotAllowXPSP2 = "0".
It modifies the following regsitry entry to shorten the waiting time for services to stop after service notification of system Shutdown:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
WaitToKillServiceTimeout= "7000"
Note: This is equivalent to 7 seconds. The default value is WaitToKillServiceTimeout= "20000", which is equivalent to 20 seconds.
It also disables the Messenger, Remote Registry, Security Center, and Telnet services respectively by modifiying the following regsitry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
Start = "dword:00000004"
Note: Default value is Start = "dword:00000002".
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
Start = "dword:00000004"
Note: Default value for Start = "dword:00000002".
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\wscsvc]
Start = "dword:00000004"
Note: Default value is Start = "dword:00000002".
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
Start = "dword:00000004"
Note: Default value is Start = "dword:00000003".
Agent.AGW attempts to connect to the following IRC server:
- bla.girlsontheblock.com
It attempts to join the following IRC channels:
- #na-e
- #na-s
Once successfully connected, a hacker can send commands to the bots on the IRC channel to control the infected computer. It has the ability to do the following:
- Display System Information
- Download and Upload a File
- List current processes
- Scan for Files
- Execute a file
- Perform denial of service attack
- Steal user information and log keyboard and mouse events
- Send copies using different IM applications
- Visit websites
- Enumerate remote shares
- Scan and exploit computers vulnerable to exploits
When spreading, the bot can exploit the following vulnerabilities:
- Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (MS05-039) port 445
- Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) port 139
It uses the following user accounts:
- administrator
- admin
- to connect to the target machine's hidden shares:
- Admin$
- ipc$
- by using the following list of weak passwords:
- 12345
- 123456
- 654321
- admin
- asdfgh
- server
It also tries to steal usernames and passwords from the following known applications:
- MSN Hotmail
- Outlook Express
- PayPal
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-09-05_02.