1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Backdoor:W32/Agent.ADQB

Name : Backdoor:W32/Agent.ADQB
Detection Names : backdoor.win32.agent.adqb
Aliases : Backdoor.IRC.Bot (Symantec)
W32/Sdbot.worm.gen.h (McAfee)
Backdoor:Win32/IRCBot.gen!K (Microsoft)
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

Additional Details

This backdoor program attempts to connect to a remote IRC server. It also attempts a Denial-of-Service (DoS) exploit on any machines it finds with an open Microsoft-ds (Directory Service) port.

Installation
During installation, the following files are created:
  •  %windir%\system\wmisvr.exe - Copy of the backdoor
  • %windir%\system32\drivers\sysdrv32.sys - Detected as Worm.Win32.AutoRun.ezt

Activity
While active, the backdoor attempts to connect to a remote IRC server:
  •  sec.republicofskorea.info:8084/TCP

The backdoor also iterates the IP address and looks for available systems with an open Microsoft-ds port (specifically, tcp 445).  If a vulnerable machine is discovered, the backdoor breaches the targeted machine's Windows Firewall, a form of Denial-of-Service (DoS) exploit similar to the notorious MS04-011 vulnerability.
To protect the backdoor, the WMISRV Service is stopped when the debugger program Ollydbg is launched; this protective action makes the debugging process more difficult.

Registry
The backdoor edits the Windows Firewall Policy, to allow it to function as an authorized application.
  •  HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
       C:\WINDOWS\system\wmisvr.exe = C:\WINDOWS\system\wmisvr.exe:*:Microsoft Enabled

It also sets two malware launch points as services:
  •  HKLM\System\CurrentControlSet\Services\WMISRV
        ImagePath = "C:\WINDOWS\system\wmisvr.exe"
        DisplayName = WMI Servicer
        Description = Auto-Syncs Patches and Hotfixes
  •  HKLM\System\CurrentControlSet\Services\sysdrv32
        ImagePath = \??\C:\WINDOWS\system32\drivers\sysdrv32.sys
        DisplayName = Play Port I/O Driver

The following mutex name is used by wmisvr.exe:
  •  ScnBx