BKDR_AGENT.ZXSQ
Windows 2000, XP, Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.
TECHNICAL DETAILS
10,756 bytes
PE
Yes
17 Nov 2010
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccEvtMgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccPwdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccPxySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NISUM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SymEvent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SYMTDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VFILT
It adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dll\OpenWithProgids
dllfile =
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\rundll32.exe = %System%\rundll32.exe:*:Enabled:rundll32
Backdoor Routine
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.