BKDR_AGENT.TIT

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It injects its dropped file/component to specific processes.

It connects to a website to send and receive information.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %Application Data%\Windows\userinit.dll - also detected as BKDR_AGENT.TIT

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious files:

• %Current%\SysInfo.txt
• %Current%\{random filename}.lnk

It drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\Application Data\desktop.BIN
• %Application Data%\Windows\userinit.exe
• %User Startup%\userinit.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It creates the following folders:

• %Application Data%\Windows
• %Application Data%\Windows\logs

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Mcafee FrameWork(

It injects its dropped file/component to the following processes:

• explorer.exe

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}e.adobesuit.com

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:
The created file SysInfo.TXT contains the following information it retrieved:

• Hotfix information
• Internet Explorer version
• Ip address information
• List of files in certain directories
• List of services and their status
• Microsoft Office applications version
• Network information
• OS information
• Proxy information
• User accounts information