BKDR_AGENT.EAUZ
Trojan.ADH (Symantec); Trojan.Win32.Agent.adwt (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt); Trojan.Generic.1401811 (FSecure)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
3,265,079 bytes
EXE
Yes
02 Oct 2012
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Explorer = "%User Profile%\Application Data\explorer.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\THQ\
Frontlines: Fuel of War
HKEY_LOCAL_MACHINE\SOFTWARE\Activision\
Call of Duty 4
HKEY_LOCAL_MACHINE\SOFTWARE\Sunflowers\
Anno 1701
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield 1942
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield 1942 Secret Weapons of WWII
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield 1942 The Road to Rome
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield Vietnam
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield 2 Special Forces
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Battlefield 2142
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Black and White
HKEY_LOCAL_MACHINE\SOFTWARE\Activision\
Call of Duty
HKEY_LOCAL_MACHINE\SOFTWARE\Activision\
Call of Duty United Offensive
HKEY_LOCAL_MACHINE\SOFTWARE\Activision\
Call of Duty 2
HKEY_LOCAL_MACHINE\Software\Techland\
Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\Generals
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Command and Conquer Generals Zero Hour
HKEY_LOCAL_MACHINE\SOFTWARE\Westwood\
Red Alert
HKEY_LOCAL_MACHINE\Software\Westwood\
Red Alert 2
HKEY_LOCAL_MACHINE\Software\Westwood\
Tiberian Sun
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
Electronic Arts\Command and Conquer 3
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA Sports\FIFA 2002
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA Sports\FIFA 2003
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA Distribution\Freedom Force
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Global Operations
HKEY_LOCAL_MACHINE\Software\Illusion Softworks\
Hidden & Dangerous 2
HKEY_CURRENT_USER\Software\JoWooD\
InstalledGames\IG2
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\James Bond 007 Nightfire
HKEY_CURRENT_USER\Software\3d0\
Status
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Medal of Honor Allied Assault
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Medal of Honor Allied Assault Breakthrough
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA GAMES\Medal of Honor Allied Assault Spearhead
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA Sports\Nascar Racing 2002
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
EA Sports\Nascar Racing 2003
HKEY_LOCAL_MACHINE\Software\Red Storm Entertainment\
RAVENSHIELD
HKEY_CURRENT_USER\Software\Silver Style Entertainment\
Soldiers Of Anarchy\Settings
HKEY_CURRENT_USER\Software\Eugen Systems\
The Gladiators
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
Maxis\The Sims
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
Maxis\The Sims Livin' Large
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
Maxis\The Sims House Party
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Family Fun Stuff
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Glamour Life Stuff
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Nightlife
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Pets
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Open for Business
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 Seasons
HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\
EA Games\The Sims 2 University
HKEY_LOCAL_MACHINE\Software\TechSmith\
SnagIt\8
HKEY_LOCAL_MACHINE\Software\Electronic Arts\
Battlefield 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Notepad\DefaultFonts
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Notepad\DefaultFonts
Key = "33735612-B90B-4B0D-A16B-A5B4321EC12D"
This report is generated via an automated analysis system.
SOLUTION
9.200
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Restart in Safe Mode
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\THQ
- Frontlines: Fuel of War
- In HKEY_LOCAL_MACHINE\SOFTWARE\Activision
- Call of Duty 4
- In HKEY_LOCAL_MACHINE\SOFTWARE\Sunflowers
- Anno 1701
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield 1942
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield 1942 Secret Weapons of WWII
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield 1942 The Road to Rome
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield Vietnam
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield 2 Special Forces
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Battlefield 2142
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Black and White
- In HKEY_LOCAL_MACHINE\SOFTWARE\Activision
- Call of Duty
- In HKEY_LOCAL_MACHINE\SOFTWARE\Activision
- Call of Duty United Offensive
- In HKEY_LOCAL_MACHINE\SOFTWARE\Activision
- Call of Duty 2
- In HKEY_LOCAL_MACHINE\Software\Techland
- Chrome
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- Generals
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Command and Conquer Generals Zero Hour
- In HKEY_LOCAL_MACHINE\SOFTWARE\Westwood
- Red Alert
- In HKEY_LOCAL_MACHINE\Software\Westwood
- Red Alert 2
- In HKEY_LOCAL_MACHINE\Software\Westwood
- Tiberian Sun
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\Electronic Arts
- Command and Conquer 3
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports
- FIFA 2002
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports
- FIFA 2003
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Distribution
- Freedom Force
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Global Operations
- In HKEY_LOCAL_MACHINE\Software\Illusion Softworks
- Hidden & Dangerous 2
- In HKEY_CURRENT_USER\Software\JoWooD\InstalledGames
- IG2
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- James Bond 007 Nightfire
- In HKEY_CURRENT_USER\Software\3d0
- Status
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Medal of Honor Allied Assault
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Medal of Honor Allied Assault Breakthrough
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES
- Medal of Honor Allied Assault Spearhead
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports
- Nascar Racing 2002
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports
- Nascar Racing 2003
- In HKEY_LOCAL_MACHINE\Software\Red Storm Entertainment
- RAVENSHIELD
- In HKEY_CURRENT_USER\Software\Silver Style Entertainment\Soldiers Of Anarchy
- Settings
- In HKEY_CURRENT_USER\Software\Eugen Systems
- The Gladiators
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\Maxis
- The Sims
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\Maxis
- The Sims Livin' Large
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts\Maxis
- The Sims House Party
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Family Fun Stuff
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Glamour Life Stuff
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Nightlife
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Pets
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Open for Business
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 Seasons
- In HKEY_LOCAL_MACHINE\SOFTWARE\Electronic Arts\EA Games
- The Sims 2 University
- In HKEY_LOCAL_MACHINE\Software\TechSmith\SnagIt
- 8
- In HKEY_LOCAL_MACHINE\Software\Electronic Arts
- Battlefield 2
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad
- DefaultFonts
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Explorer = "%User Profile%\Application Data\explorer.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts
- Key = "33735612-B90B-4B0D-A16B-A5B4321EC12D"
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_AGENT.EAUZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.