Threat behavior
Backdoor:Win32/Agent!9972 is a backdoor Trojan that allows an attacker to take control of an infected computer. When a computer is infected, the Trojan connects to an Internet Relay Chat (IRC) server and joins a channel in order to receive commands from the controlling attacker. These commands can instruct the Trojan to perform a number of different actions, including downloading and installing additional components and spreading to other computers via MSN Messenger.
When run, Backdoor:Win32/Agent!9972 performs the following actions:
- Terminates if a debugger or virtual machine environment is detected
- Drops copies of itself to the %temp% and %windir% directories as vpcrtf.exe, and drops an archived copy of itself in %windir%
- Adds a registry key in order to run at Windows startup:
Adds value: Microsoft Visual Application
With value: vpcrtf.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Drops a batch file "a.bat" in the root of drive C and executes it - the batch file contains code to stop services named "Security Center" and "RealVNC"
Note: %windir% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; and for XP and Vista is C:\Windows.
Backdoor:Win32/Agent!9972 connects to vpn.basecore.info IRC server and waits for commands. These commands can include the following actions:
- downloading or uploading files through FTP
- logging keystrokes
- retrieving computer information
- performing flooding or Denial of Service attacks
- manipulating processes and services
- updating itself
- spreading to other computers using MSN Messenger
When ordered to spread Backdoor:Win32/Agent!9972 sends an archive of itself using MSN messenger. It attempts to encourage users into opening it by using one of the following accompanying messages:
- "Did you take this picture?"
- "is that you on the left?"
- "How drunk was I in this picture?"
- "Is that your mom in this picture?"
- "lol, your mom just sent me this picture?"
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
