Threat Description

Agent.BAO

Details

Aliases:Agent.BAO
Category:Malware
Malware-Downloader
Type:
Platform:W32

Summary



Agent.BAO, a variant of Agent, is a Trojan. Agent.BAO downloads different trojans and backdoors and activate them on an affected system without user's approval.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Agent.BAO is a trojan downloader. It connects to a specified site on the Internet and gets more malicious download links.

Upon execution, it drops a copy of itself from the following location:

  • %sysdir%\SVCH0ST.exe

It also creates a service with the following service name:

  • 000Kendy Demo Service

It adds the following service registry entry:

  • [HKLM\System\CurrentControlSet\Services\000Kendy Service]ImagePath=%sysdir%\svch0st.exe

It downloads a text file from the following site:

  • http://kkpic.net/ggg/adc/[REMOVED].txt

This text file contains download links of other malware.

Below is the list of some of the download sites gathered and the corresponding detection name of the downloaded files:

  • http://222.220.16.185/data6/j[REMOVED].exe - Packed.Win32.NSAnti.b
  • http://222.220.16.185/data6/w[REMOVED].exe - Trojan-PSW.Win32.Lmir.bdb
  • http://222.220.16.185/data6/m[REMOVED].exe - Trojan-Downloader.Win32.Small.bxa
  • http://222.220.16.185/data6/w[REMOVED].exe - Trojan-PSW.Win32.Agent.im
  • http://222.220.16.185/data6/m[REMOVED].exe - Trojan-PSW.Win32.Delf.fz
  • http://222.220.16.185/data6/j[REMOVED].exe - Backdoor.Win32.Agent.aex
  • http://222.220.16.185/data6/w[REMOVED].exe - Backdoor.Win32.Agent.aex
  • http://222.220.16.185/data6/z[REMOVED].exe - Trojan-PSW.Win32.WOW.qm
  • http://222.220.16.185/data6/q[REMOVED].exe - Trojan-PSW.Win32.QQPass.hn
  • http://222.220.16.185/data6/c[REMOVED].exe - Trojan-Dropper.Win32.Agent.ayv

Note: The download links may vary depending on the content of the downloaded text file.

Moreover, Agent.BAO also creates a file named autorun.inf in the directory where the copy of the trojan is located. This is used to automatically execute the trojan when the folder is opened.



Detection



Detection Type: PC
Database: 2006-11-06_02




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More