Agent.AGW

Technical Details

Agent.AGW is a backdoor program that allows control over a victim's computers remotely by sending specific commands via IRC channels. This backdoor can also steal data, spread to a local network, and to computers vulnerable to exploits.

Upon execution, it drops the following files:

• %WinDir%\lsass.exe- a copy of itself.
• %SysDir%\rdriv.sys- a trojan rootkit used to hide its presence on the machine. This is now detected as Rootkit.Win32.Agent.p.

Note: %WinDir%" represents the Windows root directory and "%SysDir%" represents the Windows System directory.

It installs itself as a service by creating the following registry keys:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

It installs itself as a service by creating the following registry keys:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]

It creates the following registry entries to lower the system's security settings:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]UpdatesDisableNotify = "dword:00000000"AntiVirusDisableNotify = "dword:00000000"FirewallDisableNotify = "dword:0000000"AntiVirusOverride = "dword:00000000"FirewallOverride = "dword:00000000"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]DoNotAllowXPSP2 = dword:00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]EnableFirewall = "dword:00000000"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]EnableFirewall = "dword:00000000"

It creates the following registry entries to disable Administrative Shares in NT4.0 Server and Workstation:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]AutoShareWks = "dword:00000000"AutoShareServer = "dword:00000000"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]AutoShareWks = "dword:00000000"AutoShareServer = "dword:00000000"

Agent.AGW also modifies the following registry entries to disable and restrict anonymous access and DCOM network binding:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]EnableDCOM = "N"

Note: the default value is EnableDCOM = "Y".

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]restrictanonymous = "dword:00000001"

Note: The default value for restrictanonymous is user dependent.

Agent.AGW also disables automatic update of Service Pack 2 in Windows XP by changing the following registry entry:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]DoNotAllowXPSP2 = "1"

Note: The default value for DoNotAllowXPSP2 = "0".

It modifies the following regsitry entry to shorten the waiting time for services to stop after service notification of system Shutdown:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]WaitToKillServiceTimeout= "7000"

Note: This is equivalent to 7 seconds. The default value is WaitToKillServiceTimeout= "20000", which is equivalent to 20 seconds.

It also disables the Messenger, Remote Registry, Security Center, and Telnet services respectively by modifiying the following regsitry entries:

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]Start = "dword:00000004"

Note: Default value is Start = "dword:00000002".

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]Start = "dword:00000004"

Note: Default value for Start = "dword:00000002".

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\wscsvc]Start = "dword:00000004"

Note: Default value is Start = "dword:00000002".

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]Start = "dword:00000004"

Note: Default value is Start = "dword:00000003".

Agent.AGW attempts to connect to the following IRC server:

• bla.girlsontheblock.com

It attempts to join the following IRC channels:

• #na-e
• #na-s

Once successfully connected, a hacker can send commands to the bots on the IRC channel to control the infected computer. It has the ability to do the following:

• Display System Information
• Download and Upload a File
• List current processes
• Scan for Files
• Execute a file
• Perform denial of service attack
• Steal user information and log keyboard and mouse events
• Send copies using different IM applications
• Visit websites
• Enumerate remote shares
• Scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

• Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (MS05-039) port 445
• Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) port 139

It uses the following user accounts:

• administrator
• admin

- to connect to the target machine's hidden shares:

• Admin$
• ipc$

- by using the following list of weak passwords:

• 12345
• 123456
• 654321
• admin
• asdfgh
• server

It also tries to steal usernames and passwords from the following known applications:

• MSN Hotmail
• Outlook Express
• PayPal