Threat Descriptions

Backdoor:W32/Agent.ADQB

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

backdoor.win32.agent.adqb, Backdoor.IRC.Bot (Symantec), W32/Sdbot.worm.gen.h (McAfee), Backdoor:Win32/IRCBot.gen!K (Microsoft)

Summary

A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This backdoor program attempts to connect to a remote IRC server. It also attempts a Denial-of-Service (DoS) exploit on any machines it finds with an open Microsoft-ds (Directory Service) port.

Installation

During installation, the following files are created:

  • %windir%\system\wmisvr.exe - Copy of the backdoor
  • %windir%\system32\drivers\sysdrv32.sys - Detected as Worm.Win32.AutoRun.ezt

Activity

While active, the backdoor attempts to connect to a remote IRC server:

  • sec.republicofskorea.info:8084/TCP

The backdoor also iterates the IP address and looks for available systems with an open Microsoft-ds port (specifically, tcp 445). If a vulnerable machine is discovered, the backdoor breaches the targeted machine's Windows Firewall, a form of Denial-of-Service (DoS) exploit similar to the notorious MS04-011 vulnerability.To protect the backdoor, the WMISRV Service is stopped when the debugger program Ollydbg is launched; this protective action makes the debugging process more difficult.

Registry

The backdoor edits the Windows Firewall Policy, to allow it to function as an authorized application.

  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\system\wmisvr.exe = C:\WINDOWS\system\wmisvr.exe:*:Microsoft Enabled

It also sets two malware launch points as services:

  • HKLM\System\CurrentControlSet\Services\WMISRV ImagePath = "C:\WINDOWS\system\wmisvr.exe" DisplayName = WMI Servicer Description = Auto-Syncs Patches and Hotfixes
  • HKLM\System\CurrentControlSet\Services\sysdrv32 ImagePath = \??\C:\WINDOWS\system32\drivers\sysdrv32.sys DisplayName = Play Port I/O Driver

The following mutex name is used by wmisvr.exe:

  • ScnBx