Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Agent.amps
Backdoor.Win32.Agent.amps
| Detected | Nov 09 2009 10:12 GMT |
| Released | Nov 09 2009 14:40 GMT |
| Published | Mar 15 2011 13:51 GMT |
Payload
Removal instructions
Technical Details
This malicious program provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file) and is 40 448 bytes in size. It is written in C++.
Payload
Once launched, the backdoor uses the function "GetSystemDefaultLCID" to obtain the ID for the group of national settings that the operating system uses by default. If the value obtained corresponds with:
Yakut Armenian Azeri Bashkir Belarusian Divehi Kazakh Kyrgyz Tatar Ukrainian Uzbek Russianthe backdoor ceases running. In this case, the original backdoor file will be deleted the next time the system is rebooted.
Otherwise, the backdoor performs the following actions:
- It extracts files from its body, which are saved in the system as
%System%\mscert.dll
(35 840 bytes; detected by Kaspersky Anti-Virus as "Backdoor.Win32.Agent.amps")%System%\kbdnet.dll
(30 208 bytes; detected by Kaspersky Anti-Virus as "Backdoor.Win32.Agent.amos") - It registers the extracted libraries in the system registry by creating the following keys:
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls] "AppSecDll" = "%System%\mscert.dll" [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs" = "%System%\kbdnet.dll" "LoadAppInit_DLLs" = "1"
Thereby, the libraries extracted by the Trojan will be injected into the address spaces of all processes launched in the system.
The backdoor then ceases running. The original backdoor file will be deleted the next time the system is rebooted.
By being injected into the address space of Internet Explorer ("iexplore.exe"), the previously extracted libraries enable the malicious user to track incoming and outgoing traffic on the infected computer. Search requests by the user in the following resources:
altavista.com google.com yahoo.com bing.comwill be redirected to an address specified by the malicious user. In addition, by means of these libraries, other malicious programs can be downloaded to the infected computer.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, use Kaspersky Anti-Virus to delete it: perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: 93BCA465417D62AE9114BCB596834747
SHA1: 8C17B74DC904E739B6EEF5A28FDD0FE56D9A9C0B
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- Trojan:
Generic Downloader. fb (McAfee) - Mal/Bamital-A (Sophos)
- Trj/Downloader.
MDW (Panda) - TrojanDropper:
Win32/Bamital. A (MS(OneCare)) - BackDoor.
Siggen. 2861 (DrWeb) - Win32/Agent.
QHP trojan (Nod32) - Trojan.
Generic. 2654211 (BitDef7) - Backdoor.
Agent!4M/vB3eEF4M (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan.
Win32. Bamital (Ikarus) - TR/Drop.
Agent. NB (AVIRA) - Infostealer (NAV)
- W32/DLoader.
ACIFO (Norman) - Trojan.
Win32. Generic. 51F0C467 (Rising) - Backdoor.
Win32. Agent. amps [AVP] (FSecure) - Trojan.
Win32. Generic!BT (Sunbelt) - Backdoor.
Agent!4M/vB3eEF4M (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.