Virus Database

Backdoor.Agent.b

Description Backdoor.Agent.b

Agent.b is a classic Trojan backdoor that opens the infected machine to remote access. This backdoor is a Windows PE exe file written in Visual C.
Agent.b is packed with two packers: Morphine and UPX. The packed file size is 38 KB and unpacked - 104 KB.
Agent.b is controlled over IRC channels. The controller can download and execute files on the infected machine.
Payload
Agent.b opens a random port in the 1xxx range for about a second, and then continues opening the next port in ascending numerical order. The infected machine sees only ports 'blinking' in ascending order.
Removal
If you know the name of the file containing the Backdoor, you can delete it after you stop the active processes in RAM using the Windows Task Manager. Once you have deleted the process, you can then delete the file.
If you cannot identify the name of the active process, you need to install a firewall, such as Kaspersky Anti-Hacker, which will monitor open ports and provide a log.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.aa

Description I-Worm.Bagle.aa

This worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.
It is packed using UPX and PEX. The unpacked file is approximately 66KB in size.
The file contains a ZIP archive which contains the complete source code of the worm.
Installation
Once launched, the worm copies itself to the Windows system directory as loader_name.exe, and registers this file in the system registry, to ensure the file is run every time the system is started:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"reg_key" = "%system%loader_name.exe"
The worm also creates 2 additional files in the Windows system registry:
loader_name.exeopen
loader_name.exeopenopen
Propagation
The worm searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files.
It uses its own SMTP server to send messages.
Infected messages:
Message header (chosen from the list below):
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message body (chosen from the list below)
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment name (chosen from the list below):
Information
text_document
Updates
Readme
Document
Info
MoreInfo
Message
Attachment extension (chosen from the list below):
exe
scr
com
zip
vbs
hta
cpl
If the attached file has the extension .hta, the size of the attached file will be approximately 208KB. If the attached file has the extension .vbs then the size of the attached file will be approximately 211KB.
The worm is capable of sending itself in a password protected zip archive. In such cases, the password will be shown in the message body, either in text format or as an image.
It does not send infected messages to addresses which contain any of the lines of text listed below:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Propagation via P2P networks
The worm searches disks for folders where the name contains the word 'shar' and copies itself several times to all such folders found. Copies are made under the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
Remote administration
The worm opens and tracks activity on port 1234.
The backdoor function makes it possible for the source code of the worm to be remotely mass mailed at any time.
Other
The worm is programmed to cease activity and delete itself after 7th July 2004.

I-Worm.Bagle.ah

Description I-Worm.Bagle.ah

This worm is almost identical to I-Worm.Bagle.ai.
It differs from Bagle.ai only in its size, the name of the file it creates, and the corresponding registry key. It creates a file named sysxp.exe, rather than winxp.exe.

Home