F-Secure
Tools
Agent.BAO
Summary
Agent.BAO, a variant of Agent, is a Trojan. Agent.BAO downloads different trojans and backdoors and activate them on an affected system without user's approval.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Agent.BAO is a trojan downloader. It connects to a specified site on the Internet and gets more malicious download links.
Upon execution, it drops a copy of itself from the following location:
It also creates a service with the following service name:
It adds the following service registry entry:
It downloads a text file from the following site:
This text file contains download links of other malware.
Below is the list of some of the download sites gathered and the corresponding detection name of the downloaded files:
Note: The download links may vary depending on the content of the downloaded text file.
Moreover, Agent.BAO also creates a file named autorun.inf in the directory where the copy of the trojan is located. This is used to automatically execute the trojan when the folder is opened.
Upon execution, it drops a copy of itself from the following location:
- %sysdir%\SVCH0ST.exe
It also creates a service with the following service name:
- 000Kendy Demo Service
It adds the following service registry entry:
- [HKLM\System\CurrentControlSet\Services\000Kendy Service]
ImagePath=%sysdir%\svch0st.exe
It downloads a text file from the following site:
- http://kkpic.net/ggg/adc/[REMOVED].txt
This text file contains download links of other malware.
Below is the list of some of the download sites gathered and the corresponding detection name of the downloaded files:
- http://222.220.16.185/data6/j[REMOVED].exe
- Packed.Win32.NSAnti.b - http://222.220.16.185/data6/w[REMOVED].exe
- Trojan-PSW.Win32.Lmir.bdb - http://222.220.16.185/data6/m[REMOVED].exe
- Trojan-Downloader.Win32.Small.bxa - http://222.220.16.185/data6/w[REMOVED].exe
- Trojan-PSW.Win32.Agent.im - http://222.220.16.185/data6/m[REMOVED].exe
- Trojan-PSW.Win32.Delf.fz - http://222.220.16.185/data6/j[REMOVED].exe
- Backdoor.Win32.Agent.aex - http://222.220.16.185/data6/w[REMOVED].exe
- Backdoor.Win32.Agent.aex - http://222.220.16.185/data6/z[REMOVED].exe
- Trojan-PSW.Win32.WOW.qm - http://222.220.16.185/data6/q[REMOVED].exe
- Trojan-PSW.Win32.QQPass.hn - http://222.220.16.185/data6/c[REMOVED].exe
- Trojan-Dropper.Win32.Agent.ayv
Note: The download links may vary depending on the content of the downloaded text file.
Moreover, Agent.BAO also creates a file named autorun.inf in the directory where the copy of the trojan is located. This is used to automatically execute the trojan when the folder is opened.
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-11-06_02.