backdoor: Backdoor.Win32.Agent.b
Risk level: Medium
virus Description
The sample is a “back doors” prepared use the “VC” , with “nSPack” packers way in an attempt to evade signature scanning, when the size of packers, “54,596″ bytes, the icon is “
“, used the “exe” extension , spread through document binding, pages linked to horse, download tools to download, etc. . The main purpose is to control the virus, the user machine. When the user computer is infected with this trojan virus, and found that unknown process, and so on.
Infected OS
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7
Transmission
file bound, page trojan, download tools to download
Manual removal:
Delete the following files:
% SystemRoot% \ System32 \ Winp32.exe
Variable declaration:
% SystemDriver% system where the partition, typically “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles
Virus analysis:
1. The virus by setting SetErrorMode function, critical error handler does not display a message box
2. Comparison of whether they have been injected virus svchost.exe process, if the injection is not successful, it will copy itself to “C: \ WINDOWS \ System32 \” system directory, renamed “Winp32.exe”, and set the system hidden attribute , then set up the process of loading operation.
3. If successful, the establishment of a mutex named “NB2HI4B2F4XXO53XFZQWU2LFGUZDALTDN5WS6YLQOAXTCLTUPB2A ====” to prevent repeated operation, the establishment of the thread, connect to the network, through the socket, send, recv and other functions, the user machine’s processor type, operating system version, operating system default language information is sent to hacker specified URL, and wait for the hacker next command.
4. Last call CMD command, since the deletion.
The virus creates a file:
% SystemRoot% \ System32 \ Winp32.exe
Virus access to the network:
http://www .******. com/app/1.txt
Magnificent items from you, man. I’ve be mindful your stuff prior to and you’re just extremely great. I really like what you have bought here, really like what you are saying and the way by which you assert it. You make it entertaining and you still care for to stay it sensible. I can not wait to read much more from you. This is actually a wonderful website.
I relish, result in I discovered just what I was looking for. You’ve ended my four day long hunt! God Bless you man. Have a great day. Bye
Especially informative post, I actually was in fact pleased to find your internet-site on the net. I just decide to put a weblink upon my personal blog page as a result my followers could very well reach your website. Please take a glimpse.
Sources…
[...]check below, are some totally unrelated websites to ours, however, they are most trustworthy sources that we use[...]……
Related……
[...]just beneath, are numerous totally not related sites to ours, however, they are surely worth going over[...]……
Websites you should visit…
[...]below you’ll find the link to some sites that we think you should visit[...]……
Hostgator Blackfriday…
Hostgator is one of the best hosting I have used, would definitely recommend it to everyone….
Related……
[...]just beneath, are numerous totally not related sites to ours, however, they are surely worth going over[...]……
Recent Blogroll Additions……
[...]usually posts some very interesting stuff like this. If you’re new to this site[...]……
Blogs ou should be reading…
[...]Here is a Great Blog You Might Find Interesting that we Encourage You[...]……
FoxTec Online Parts for Computers…
[...]below you’ll find the links to some pages that we think you should visit[...]…
Web Developement and Web Marketing…
[...]while the places we link to underneath are completely unrelated to ours, we think they are worth a look, so have a peek[...]…
Online Article……
[...]The information mentioned in the article are some of the best available [...]……
Car Warranty News…
[...]the time to read the content or going to we have linked to below the[...]…
Recent Blogroll Additions……
[...]usually posts some very interesting stuff like this. If you’re new to this site[...]……
Blogs ou should be reading…
[...]Here is a Great Blog You Might Find Interesting that we Encourage You[...]……
Links…
[...]Sites of interest we have a link to[...]……
You should check this out…
[...] Wonderful story, reckoned we could combine a few unrelated data, nevertheless really worth taking a look, whoa did one learn about Mid East has got more problerms as well [...]……
Blogs ou should be reading…
[...]Here is a Great Blog You Might Find Interesting that we Encourage You[...]……
You should check this out…
[...] Wonderful story, reckoned we could combine a few unrelated data, nevertheless really worth taking a look, whoa did one learn about Mid East has got more problerms as well [...]……
Related……
[...]just beneath, are numerous totally not related sites to ours, however, they are surely worth going over[...]……
Superb website…
[...]always a big fan of linking to bloggers that I love but don’t get a lot of link love from[...]……
Sources…
[...]check below, are some totally unrelated websites to ours, however, they are most trustworthy sources that we use[...]……
Read was interesting, stay in touch……
[...]please visit the sites we follow, including this one, as it represents our picks from the web[...]……
Read was interesting, stay in touch……
[...]please visit the sites we follow, including this one, as it represents our picks from the web[...]……
Websites worth visiting…
[...]here are some links to sites that we link to because we think they are worth visiting[...]……
Related……
[...]just beneath, are numerous totally not related sites to ours, however, they are surely worth going over[...]……
Online Article……
[...]The information mentioned in the article are some of the best available [...]……
Sites we Like……
[...] Every once in a while we choose blogs that we read. Listed below are the latest sites that we choose [...]……
Websites we think you should visit…
[...]although websites we backlink to below are considerably not related to ours, we feel they are actually worth a go through, so have a look[...]……
Superb website…
[...]always a big fan of linking to bloggers that I love but don’t get a lot of link love from[...]……
Websites worth visiting…
[...]here are some links to sites that we link to because we think they are worth visiting[...]……
Websites you should visit…
[...]below you’ll find the link to some sites that we think you should visit[...]……
You should check this out…
[...] Wonderful story, reckoned we could combine a few unrelated data, nevertheless really worth taking a look, whoa did one learn about Mid East has got more problerms as well [...]……
Websites you should visit…
[...]below you’ll find the link to some sites that we think you should visit[...]……
Sites we Like……
[...] Every once in a while we choose blogs that we read. Listed below are the latest sites that we choose [...]……
Online Article……
[...]The information mentioned in the article are some of the best available [...]……
Superb website…
[...]always a big fan of linking to bloggers that I love but don’t get a lot of link love from[...]……
Check this out…
[...] that is the end of this article. Here you’ll find some sites that we think you’ll appreciate, just click the links over[...]……
Websites we think you should visit…
[...]although websites we backlink to below are considerably not related to ours, we feel they are actually worth a go through, so have a look[...]……