BKDR_AGENTT.S

This backdoor may be dropped by other malware.

It connects to certain websites to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_ARTIEF.AE

Installation

This backdoor drops the following files:

• %Windows%\wdmaud.drv - also detected as BKDR_AGENTT.S
• %Windows%\netv.dat - dump of net view command. This file will be deleted by the malware after execution
• %Windows%\ipcon.dat - dump of ipconfig command. This file will be deleted by the malware after execution

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Its DLL component is injected to the following process(es):

• Explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• my_horse_mutex_jd2_new

Other Details

This backdoor connects to the following website to send and receive information:

• http://www.{BLOCKED}bit.com/ko/upload.apsx?filename={MAC Address}_{IP address}.jpg
• http://www.{BLOCKED}bit.com/ko/upload.apsx?filename={value}&filename={MAC Address}_{IP address}.jpg
• http://www.{BLOCKED}bit.com/ko/order/{MAC Address}_{IP address}.jpg

NOTES:

It steals the following information from the affected system:

• Address book contents
• Computer name
• Computers in the current domain
• Email user names and passwords
• IP Configuration
• Language
• Proxy server
• Running processes
• System directory
• System version
• User name

It emails the stolen information to the following addresses:

• {BLOCKED}tmail002@aol.com
• {BLOCKED}md009@aol.com
• {BLOCKED}ero009@aol.com

It can perform the following routine:

• Download other files
• Execute cmd commands

It uses the following custom User-Agent for its communication with the remote URLs:

• MyAgent
• mydownload