Threat Description

Backdoor:​W32/Agent.ADQB

Details

Aliases:backdoor.win32.agent.adqb
Category:Malware
Type:Backdoor
Platform:W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



This backdoor program attempts to connect to a remote IRC server. It also attempts a Denial-of-Service (DoS) exploit on any machines it finds with an open Microsoft-ds (Directory Service) port.

Installation

During installation, the following files are created:

  • %windir%\system\wmisvr.exe - Copy of the backdoor
  • %windir%\system32\drivers\sysdrv32.sys - Detected as Worm.Win32.AutoRun.ezt

Activity

While active, the backdoor attempts to connect to a remote IRC server:

  • sec.republicofskorea.info:8084/TCP

The backdoor also iterates the IP address and looks for available systems with an open Microsoft-ds port (specifically, tcp 445). If a vulnerable machine is discovered, the backdoor breaches the targeted machine's Windows Firewall, a form of Denial-of-Service (DoS) exploit similar to the notorious MS04-011 vulnerability.To protect the backdoor, the WMISRV Service is stopped when the debugger program Ollydbg is launched; this protective action makes the debugging process more difficult.

Registry

The backdoor edits the Windows Firewall Policy, to allow it to function as an authorized application.

  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\system\wmisvr.exe = C:\WINDOWS\system\wmisvr.exe:*:Microsoft Enabled

It also sets two malware launch points as services:

  • HKLM\System\CurrentControlSet\Services\WMISRV ImagePath = "C:\WINDOWS\system\wmisvr.exe" DisplayName = WMI Servicer Description = Auto-Syncs Patches and Hotfixes
  • HKLM\System\CurrentControlSet\Services\sysdrv32 ImagePath = \??\C:\WINDOWS\system32\drivers\sysdrv32.sys DisplayName = Play Port I/O Driver

The following mutex name is used by wmisvr.exe:

  • ScnBx





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More