English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.Win32.Agent.lw

Backdoor.Win32.Agent.lw

Detected Oct 31 2006 09:42 GMT
Released Oct 31 2006 09:42 GMT
Published Nov 13 2006 13:54 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. The size of the backdoor components varies between 8KB to 80KB.

Installation

When launched, the backdoor copies its executable file to the Windows system directory:

%System%\ssclie.exe

The backdoor then extracts a DLL file called stu.dll from its body:

%System%\stu.dll

The DLL file will then be loaded to the svchost.exe address space, and the original Trojan file will be deleted.

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"system" = "%System%\ssclie.exe"

Payload

This backdoor is created using a generating program called "editor.exe", which is 24 576 bytes in size. The program interface has the following appearance:

The user can enter an IP address in the generator’s main window. Commands will be received on a specified port from this address. The user can also enter parameters for the system registry auto run key and values for this parameter.

When the right hand button is clicked, the generator copies a file called server.exe to its current folder as setup.exe, and writes data entered by the user to the end of this file in encrypted form.

When the generated file is launched on the victim machine, it will be installed and then attempt to connect to the address which was entered when the backdoor was generated. Commands will be received on this address.

The backdoor is managed via a dedicated program. The program’s interface has the following appearance:

A remote malicious user can use the backdoor to:

  • gain full access to files on the user’s hard disk
  • download files to the victim computer
  • launch programs on the victim machine
  • view a list of active processes
  • execute any command on the victim machine

Removal instructions

  1. Use Task Manager to terminate the Trojan process:
  2. Delete the following files:
    %System%\ssclie.exe
    %System%\stu.dll
  3. Delete the following registry value:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "system" = "%System%\ssclie.exe"
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.Win32.Agent.abgg
Backdoor.Win32.Agent.amps
Backdoor.Win32.Agent.b
Backdoor.Win32.Agent.ich
Backdoor.Win32.Agent.jm
Backdoor.Win32.Agent.nj
Backdoor.Win32.Agent.px

Aliases

Backdoor.Win32.Agent.lw (Kaspersky Lab) is also known as:

  • Trojan: Generic BackDoor (McAfee)
  • Mal/Dropper-P (Sophos)
  • Mal/Behav-044 (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Backdoor.QZC (FPROT)
  • W32/BackdoorX.APL (FPROT)
  • Backdoor:Win32/Agent (MS(OneCare))
  • Trojan:Win32/Trafog!rts (MS(OneCare))
  • BackDoor.Clie (DrWeb)
  • unknown NewHeur_PE virus (Nod32)
  • Backdoor.Agent.LW (BitDef7)
  • Backdoor.Generic.43503 (BitDef7)
  • Backdoor.Agent.QTL (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Trojan-Dropper.Agent (Ikarus)
  • Win32.SuspectCrc (Ikarus)
  • Backdoor.Agent.CYA (AVG)
  • BackDoor.Agent.CWU (AVG)
  • TR/Spy.Gen (AVIRA)
  • BACKDOOR.Trojan (NAV)
  • W32/Agent.APUU (Norman)
  • W32/Agent.APUT (Norman)
  • Generic Backdoor (NAI)
  • BackDoor.Agent.HUW (Rising)
  • Backdoor.Win32.Agent.lw [AVP] (FSecure)
  • BehavesLike.Win32.Malware (v) (Sunbelt)
  • Trojan.Win32.Generic!BT (Sunbelt)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search