backdoor: Backdoor.Win32.Agent.qew

Risk level: Medium

virus Description

The sample is a backdoor developed by the “C / C++”, using “NsPack” packers approach attempts to evade signature scanning, after it is packed size is “20,992″ bytes, the icon is “”, viruses extension “exe” , mainly through the “file bundle”, “download manager”, “page linked to horse”, etc. to spread, the viruses primary purpose is to control the user’s computer.
After the user’s computer was infected, there will be no reason to open network ports, network Slow, data loss and so on for no reason.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual removal:

1, manually stop item of  service called “Windsows Help System”

2, manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe
3, manually delete the following file:
% SystemRoot% \ system32 \ sWsinHelp32.exe

Variable declaration:

% SystemDriver% partition where the system is, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”

Analysis of the virus

(1) virus for their own path to copy itself to % SystemRoot% \ system32 \ sWsinHelp32.exe.
(2) When the copy is complete, set its property ot the system to hide and run.
(3) call the command line to delete the virus itself
(4)% SystemRoot% \ system32 \ sWsinHelp32.exe open the Services Manager, will add itself to the name “WinHselp32” item of service, the service item display name to “Windsows Help System”, the corresponding registry key is:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe
(5) start the service after successful entry
(6) the service item entry in the virus injected into the svchost.exe and running, connect to the specified network, transfer the user’s computer’s operating system version and MAC address information and wait for hackers to further control commands.

Virus to create a file:

% SystemRoot% \ system32 \ sWsinHelp32.exe

Virus delete files:

Virus source

Virus to create the registry:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ WinHselp32
Name: ImagePath
Value: C: \ WINDOWS \ system32 \ sWsinHelp32.exe

Virus to access the network:

122.225 .***. 189:80
122.225 .***. 146:8080