English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.Win32.Agent.px

Backdoor.Win32.Agent.px

Detected Jan 03 2006 15:42 GMT
Released Jan 03 2006 17:42 GMT
Published Feb 27 2006 17:30 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program makes it possible to control a remote machine. The Trojan itself is a Windows PE EXE file, written in Delphi and packed using Aspack. The file is 418304 bytes in size.

Installation

Once launched, the backdoor copies itself to the Windows root directory as G_Server.exe:

%Windir%\G_Server.exe

It also creates the following files in the Windows root directory:

%Windir%\G_ServerKey.dll (38912 bytes)
%Windir%\G_Server.dll (372736 bytes)
%Windir%\G_Server_HOOk.dll (61440 bytes)

G_Server.exe, G_ServerKey.dll and G_Server.dll all have the following attributes: hidden, system, and read only.

G_ServerKey.dll will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Hupigon.mk. G_Server_HOOk.dll and G_Server.dll will be detected as Backdoor.Win32.Hupigon.lk.

The backdoor registers a service, GrayPigeonServer, in autorun mode in the system registry (Start = "dword:00000002").

To do this, it creates the following keys in the sytem registry:

Windows NT, 2000, XP and Server 2003:

[HKLM\System\CurrentControlSet\Services\GrayPigeonServer]
 "DisplayName"="Gray_Pigeon_Server"
 "ErrorControl"="dword:00000000"
 "ImagePath"="%windir%\G_Server.exe"
 "ObjectName"="LocalSystem"
 "Start"="dword:00000002"
 "Type"="dword:00000272"

[HKLM\System\CurrentControlSet\Services\GrayPigeonServer\Enum]
 "0"="Root\LEGACY_GRAYPIGEONSERVER\0000"
 "Count"="dword:00000001"
 "NextInstance"="dword:00000001"

[HKLM\System\CurrentControlSet\Services\GrayPigeonServer\]
 "Security"="01 00 14 80 90 00 00 00 9c 00 00 00 14..."

[HKLM\System\CurrentControlSet\Root\LEGACY_GRAYPIGEONSERVER]
 "NextInstance"="dword:00000001"

[HKLM\System\CurrentControlSet\Root\LEGACY_GRAYPIGEONSERVER\0000]
 "Class"="LegacyDriver"
 "ClassGUID"="{8EECC055D-057F-11D1-A537-0000F8753ED1}"
 "ConfigFlags"="dword:00000000"
 "DeviceDesc"="Gray_Pigeon_Server"
 "Legacy"="dword:00000001"
 "Service"="GrayPigeonServer"

Windows 98, ME:

[HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
 "G_Server.exe"="%windir%\G_Server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "G_Server.exe"="%windir%\G_Server.exe"


Payload

The Trojan uses rootkit technology to hide its processes in the system. It modifies active process memory, causing active processes to call its malicious functions. It is not possible to see the executable Trojan code in the task list.

Once launched, the Trojan starts the GrayPigeonServer service which it installed. It then infects IEXPLORER.EXE, opening it with all privileges and wriitng its data to the process's address space, linking functions from G_Server_HOOk.dll, G_ServerKey.dll). IEXPLORER.EXE will then infect all other active processes. G_Server.exe ceases running and deletes the original copy of itself.

The backdoor creates the following unique identifier to flag its presence in the system:

Gpigeon5_Shared_2005
Gpigeon5_Shared_HIDE (for G_Server_HOOk.dll library)

IEXPLORER.EXE attempts to establish a connection to vip.***gezi.com:8004 to get parameters for future downloads and opening a range of ports. This is done to give a remote user access to the victim machine.


Removal instructions

  • Reboot Windows in Safe Mode (during the Windows boot sequence press F8 and choose Safe Mode).
  • Delete the following files: 
    %Windir%\G_Server.exe
%Windir%\G_ServerKey.dll
%Windir%\G_Server.dll
%Windir%\G_Server_HOOk.dll
  • Delete the following system registry entries:
    [HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer]
    [HKLM\SYSTEM\CurrentControlSet\Root\LEGACY_GRAYPIGEONSERVER]
  • Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.Win32.Agent.abgg
Backdoor.Win32.Agent.amps
Backdoor.Win32.Agent.b
Backdoor.Win32.Agent.ich
Backdoor.Win32.Agent.jm
Backdoor.Win32.Agent.lw
Backdoor.Win32.Agent.nj

Aliases

Backdoor.Win32.Agent.px (Kaspersky Lab) is also known as:

  • Backdoor.Win32.Hupigon.nh (Kaspersky Lab)
  • Virus: W32/Shellot.worm.gen (McAfee)
  • Troj/Shellot-D (Sophos)
  • W32/Shellot-Gen (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • Trj/Spamer.C (Panda)
  • W32/BackdoorX.QBG (FPROT)
  • W32/BackdoorX.GGY (FPROT)
  • W32/Backdoor.ION (FPROT)
  • W32/Backdoor.IKF (FPROT)
  • Backdoor:Win32/Agent (MS(OneCare))
  • BackDoor.Shellbot (DrWeb)
  • Trojan.DownLoader.5067 (DrWeb)
  • Win32/Agent.PX trojan (Nod32)
  • Backdoor.Agent.PX (BitDef7)
  • Backdoor.Agent.HPQL (VirusBuster)
  • Backdoor.Agent.bxh (VirusBuster)
  • Backdoor.Agent.hcp (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Win32:Trojano-1320 [Trj] (AVAST)
  • Win32.SuspectCrc (Ikarus)
  • BackDoor.Agent.ALW (AVG)
  • Backdoor.Agent.doo (AVG)
  • BackDoor.Agent.OZ (AVG)
  • Backdoor.Agent.bqo (AVG)
  • BDS/Agent.IW (AVIRA)
  • BDS/Agent.px.6 (AVIRA)
  • Backdoor.Shellbot (NAV)
  • W32/Malware.AAE (Norman)
  • W32/Agent.VGF (Norman)
  • W32/Smalldoor.GUN (Norman)
  • W32/Agent.LDJ (Norman)
  • W32/Shellot.worm.gen (NAI)
  • BKDR_Generic.Z (PCCIL)
  • BKDR_Generic (PCCIL)
  • BackDoor.Agent.ALM (Rising)
  • Backdoor.Win32.Agent.px [AVP] (FSecure)
  • BKDR_Generic (TrendMicro)
  • Trojan.Agent.ADY (Sunbelt)
  • Trojan.Win32.Generic!BT (Sunbelt)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search