Home / malware Backdoor:W32/Agent.ADQB
First posted on 11 April 2009.
Source: SecurityHomeAliases :
Backdoor:W32/Agent.ADQB is also known as Backdoor.IRC.Bot (Symantec), W32/Sdbot.worm.gen.h (McAfee), Backdoor:Win32/IRCBot.gen!K (Microsoft).
Explanation :
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Additional DetailsThis backdoor program attempts to connect to a remote IRC server. It also attempts a Denial-of-Service (DoS) exploit on any machines it finds with an open Microsoft-ds (Directory Service) port.
Installation
During installation, the following files are created:
• %windir%systemwmisvr.exe - Copy of the backdoor
• %windir%system32driverssysdrv32.sys - Detected as Worm.Win32.AutoRun.ezt
Activity
While active, the backdoor attempts to connect to a remote IRC server:
• sec.republicofskorea.info:8084/TCP
The backdoor also iterates the IP address and looks for available systems with an open Microsoft-ds port (specifically, tcp 445). If a vulnerable machine is discovered, the backdoor breaches the targeted machine's Windows Firewall, a form of Denial-of-Service (DoS) exploit similar to the notorious MS04-011 vulnerability.
To protect the backdoor, the WMISRV Service is stopped when the debugger program Ollydbg is launched; this protective action makes the debugging process more difficult.
Registry
The backdoor edits the Windows Firewall Policy, to allow it to function as an authorized application.
• HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
C:WINDOWSsystemwmisvr.exe = C:WINDOWSsystemwmisvr.exe:*:Microsoft Enabled
It also sets two malware launch points as services:
• HKLMSystemCurrentControlSetServicesWMISRV
ImagePath = "C:WINDOWSsystemwmisvr.exe"
DisplayName = WMI Servicer
Description = Auto-Syncs Patches and Hotfixes • HKLMSystemCurrentControlSetServicessysdrv32
ImagePath = ??C:WINDOWSsystem32driverssysdrv32.sys
DisplayName = Play Port I/O Driver
The following mutex name is used by wmisvr.exe:
• ScnBxLast update 11 April 2009
