arrow_back
search
close

BKDR_AGOBOT.KRH

February 19, 2013
 Analysis by: Adrianne Chester Camat
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware, Downloaded from the Internet

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It acts as a proxy server to allow remote malicious user to use the affected systems to hide their identities when performing malicious activities.

It allows remote users to obtain files from affected systems. It executes a remote command prompt.

  TECHNICAL DETAILS

File Size:

106,496 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

19 Feb 2013

Payload:

Compromises system security

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Proxy Server Routine

This backdoor acts as a proxy server to allow remote malicious user to use the affected systems to hide their identities when performing malicious activities.

Other Details

This backdoor allows a remote user to obtain files from an affected system.

It executes a remote command prompt.

NOTES:

This malware is a modified version of NETCAT tool.

It abuses the capabilities of the NETCAT tool and adds certain Microsoft file properties to trick user that it is a legitimate process.

Based on analysis of the codes, it has the following capabilities:

  • Outbound or inbound connections, TCP or UDP, to or from any ports
  • Scan ports
  • Bind to a port
  • Connect to target machine
  • Listen to a port
  • Transmit packet to target machine
  • Create remote shell
  • Transfer file
  • Act as proxy

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.738.01

FIRST VSAPI PATTERN DATE:

19 Feb 2013

VSAPI OPR PATTERN File:

9.739.00

VSAPI OPR PATTERN Date:

20 Feb 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as BKDR_AGOBOT.KRH

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Scan your computer with your Trend Micro product to delete files detected as BKDR_AGOBOT.KRH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.