Home / malware Backdoor:W32/Agent.AMB
First posted on 06 April 2007.
Source: SecurityHomeAliases :
Backdoor:W32/Agent.AMB is also known as Backdoor.Win32.Agent.amb, Trojan.Panddos, BehavesLike:Win32.Malware.
Explanation :
Backdoor:W32/Agent.AMB is a generic detection for backdoor programs that allows the downloading and running of files on the infected computer and also perform DoS (Denial of Service) attacks.
It drops its main executable in Windows System directory using any of the following filenames:
- serivces.exe
- svchost.exe
Agent.AMB also drops the following file:
- %temp%
s.bat - A batch file used to delete the executed copy of the backdoor.
It installs itself as a service using any of the following service names:
- Windows Firewall
- wuauserv
Agent.AMB connects to a remote site and awaits for commands from a remote hacker.
It may also perform denial of service attacks on certain websites and download other malware from the Internet.
Some variants of this backdoor may also drop its copies using random filenames to the following locations:
- %Program Files%Common FilesMicrosoft Shared
- %Program Files%Windows Media Player
- %Program Files%Internet ExplorerConnection Wizard
- %WinDir%addins
- %WinDir%system
Other variants also drop the configuration file, Autorun.inf, together with the main executable. If the Windows Autorun function is enabled in the system, the Autorun.inf file is used to automatically run the backdoor upon opening a drive or inserting a removable device into the machine.
Last update 06 April 2007