BKDR_AGENT.AJAT

Malware type: Backdoor

Aliases: Backdoor.Win32.Agent.gjs (Kaspersky), Trojan Horse (Symantec), TR/Crypt.XPACK.Gen (Avira), Mal/Emogen-Y (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

A backdoor program is a Trojan specifically designed to allow malicious users to remotely manipulate affected systems. Like all Trojans, backdoors do not automatically propagate. They are either installed inadvertently by unsuspecting users or intentionally by malicious users.

Backdoors, like other Trojans, typically modify system settings to automatically start. Users may need to terminate backdoors before they can be deleted. Also, restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: Sep. 24, 2008 1:40:29 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: Varies

Initial samples received on: Sep 11, 2008

Payload 1: Connects to a URL

Details:

This backdoor drops the following copy(ies) of itself:

  • %User Profile%\xrt_brel.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003. )

It creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\
Run
xrt_Shell = "%User Profile%\xrt_brel.exe"

It creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon
SFCScan = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SpecialAccounts\UserList
l1706114968 = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon
AllowMultipleTSSessions = "1"

(Note: The default value data for the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon
SFCDisable = "dword:ffffff9d"

(Note: The default value data for the said registry entry is dword:00000000.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections = "0"

(Note: The default value data for the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Epoch
Epoch = "71"

(Note: The default value data for the said registry entry is 70.)

It modifies the following file(s):

  • %System%\termsrv.dll
  • %System%\winlogon.exe

It then saves the original files as the following:

  • %System%\winlogon.old
  • %System%\termsvr.old

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

Backdoor Capabilities

It connects to the following Web site to send and receive information:

  • http://{BLOCKED}.{BLOCKED}.51.75/cgi-bin/options.cgi?user_id=4243209601&socks=8925&version_id=902&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e&uptime=00:00:06:23

Analysis By: Jasper Manuel

Revision History:

First pattern file version: 5.578.08
First pattern file release date: Oct 03, 2008

SOLUTION


Minimum scan engine version needed: 8.500

Pattern file needed: 5.579.00

Pattern release date: Oct 5, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

  1. Insert your Windows Installation CD in your CD-rom.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the recovery console.
    (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
  5. When prompted, type your administrator password to log on.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
  7. Type the drive that contains Windows, then press Enter.
  8. Type the following, then press Enter:
    cd system32
    del winlogon.exe
    ren winlogon.old winlogon.exe
  9. Repeat the above procedure for all files detected earlier.
  10. Type exit to restart the system.

Deleting Malware Files using Windows Startup Disk
On Windows 98 and ME systems

This procedure allows the computer to restart by using the Windows Startup Disk.

  1. Click Start>Settings>Control Panel.
  2. In the Control Panel, double-click Add/Remove Programs. Click on the Startup Disk tab.
  3. Insert a working floppy disk and the Windows installation CD, and then click the Create Disk button to create the Startup Disk. Note that this deletes the contents of the floppy disk.
  4. Restart the system with the Startup Disk.
  5. In the command prompt, locate the folder where the malware files are detected.
  6. In the folder, type the following and press Enter:
    cd system32 cd system32
    del winlogon.exe
    ren winlogon.old winlogon.exe
  7. Repeat the above procedure for the following file:
    termsrv.dll
  8. Restart the system.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>SOFTWARE>MICROSOFT>Windows>CURRENTVERSION>
    Run
  3. In the right panel, locate and delete the entry:
    xrt_Shell = "%User Profile%\xrt_brel.exe"
  4. (Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
  5. Close Registry Editor.

Removing Other Malware Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>
    Winlogon
  3. In the right panel, locate and delete the entry:
    • SFCScan = "0"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>
    Winlogon>SpecialAccounts>UserList
  5. In the right panel, locate and delete the entry:
    • l1706114968 = "0"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>
    Parameters>FirewallPolicy>StandardProfile>AuthorizedApplications>List
  7. In the right panel, locate and delete the entry:
    • C:\WINDOWS\explorer.exe = "%WINDOWS%\explorer.exe:*:Enabled:Windows Explorer"
  8. Close Registry Editor.

Restoring Registry Entries

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>
    Winlogon
  3. In the right panel, locate the entry:
    AllowMultipleTSSessions = "1"
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "0"
  5. In the right panel, locate the entry:
    SFCDisable = "dword:ffffff9d"
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "dword:00000000"
  7. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Terminal Server
  8. In the right panel, locate the entry:
    fDenyTSConnections = "0"
  9. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "1"
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>
    Epoch
  11. In the right panel, locate the entry:
    Epoch = "71"
  12. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "70"
  13. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as BKDR_AGENT.AJAT . To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.