BKDR_AGENT.ZXSQ
Windows 2000, XP, Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.
TECHNICAL DETAILS
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccEvtMgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccPwdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ccPxySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NISUM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SymEvent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SYMTDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VFILT
It adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dll\OpenWithProgids
dllfile =
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\rundll32.exe = %System%\rundll32.exe:*:Enabled:rundll32
Backdoor Routine
This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.