BKDR_AGENT.DZW
Symantec : Spyware.Keylogger
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following component file(s):
- %system%\msinet.ocx
- %system%\MSWINSCK.OCX
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = {malware path and file name}
Other System Modifications
This backdoor adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InetCtls.Inet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InetCtls.Inet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSWinsock.Winsock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSWinsock.Winsock.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{39977C62-C383-463D-AF61-C71220634656}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E2D211D5-11E4-4D9E-B6DB-1E902C851A49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}ndns.org/xampp/ip.php