Backdoor.Win32.Agobot.aby

Technical Details

This Trojan provides a remote malicious user with remote access to the victim machine. The program is managed via IRC.

The Trojan itself is a Windows PE EXE file approximately 224KB in size, written in Visual C++. It is packed using ASProtect.

Installation

When installing, the backdoor copies itself to the Windows system directory as “mouseutils.exe”:

%System%\mouseutils.exe

It then registers this file in the system registry, ensuring that the Trojan file will be run each time Windows is rebooted on the victim machine.

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\OLE]
"Windows Mouse Utilities" = "mouseutils.exe"

The program also modifies the following system registry values:

[HKLM\Software\Microsoft\Ole]
"EnableDCOM" = "N" 
[HKLM\System\CurrentControlSet\Control\Lsa]
"restrictanonymous" = "dword:00000001" 

Payload

The Trojan connects with a range of IRC servers to receive commands from the remote malicious user. Commands are very varied, and can be used to gain full control over the system, to conduct attacks on other computers, download files etc.

Additionally, the backdoor can:

• monitor networks for interesting packets (e.g. those containing FTP server passwords etc)
• scan networks for machines with unpatched common vulnerabilities (RPC DCOM, LSASS, WebDAV etc), and machines with weak passwords or open network resources
• copy and launch itself on vulnerable machines
• download and run files on the victim machine
• delete files
• conduct DoS attacks
• send the remote malicious user information about the infected system, received using a key logger, including passwords for a range of computer games, email addresses and other confidential information
• execute a range of commands on the victim machine
• launch a proxy server on the victim machine