Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Agobot.xv
Backdoor.Win32.Agobot.xv
| Detected | Feb 07 2005 07:33 GMT |
| Released | Feb 07 2005 07:33 GMT |
Summary
Technical details
File size of 188416 bytes.
Installation
Makes copies of itself with the following names once launched:
- Windows system directory (usually, C:\Windows\System32) %System%\initiate.exe
Creates the following files on an infected computer:
-
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\1693EB53.TMP
Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:
by adding values to autorun keys in the system registry:
[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ] "AppletINIT" = "initiate.exe"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "AppletINIT" = "initiate.exe"
Malicious activity
Receives
After a command from a cybercriminal, the program performs its malicious functions, for example, performing network attacks on internet sites, distributing spam and other malicious programs, or deleting a user's files. Those using this type of malicious program frequently make use of botnets (networks of infected computers which cybercriminals control centrally in order to carry out malicious activities.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792003remote commands from cybercriminal:
via connection to Receives commands from cybercriminals using IRC (Internet Relay Chat). After the malicious program is launched, it calls a specific IRC server and establishes contact with the cybercriminal, receives commands and passes on messages in responseIRC server
Searches for message windows in order to bypass monitoring and debugging:
| Class: | FileMonClass |
| Class: | RegMonClass |
Connects to to the following Internet addresses:
- ***.94.222.186:2842
Creates unique identifiers to flag its presence in the system
- crizpycrm
Uses the masks shown below to search for files on the victim machine:
- *
Other activities
Runs the following files (commands):
- Windows system directory (usually, C:\Windows\System32) %System%\initiate.exe
Modifies the system registry keys:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Classes\CLSID\{6D571ED6-7381-13D1-B2E4-0060975B8649}\Version ] "(default)" = "1.0"
Deletes the following files on an infected computer:
- <path to source program><file of source program >
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.