Virus Database

TrojanProxy.Win32.Bobax.a

Description TrojanProxy.Win32.Bobax.a

This Trojan program makes it possible for the infected machine to be used as a proxy server.
Bobax uses a vulnerability in Microsoft LSASS to propagate on command.
The Trojan is written in Microsoft Visual C++, and the body is encrypted. It runs under Windows, and is 20480 bytes in size.
Installation
When loading, Bobax deencrypts its body and saves it as a .dll file in the temporary directory under the random name ~xxxx.tmp, with xxxx being replaced by a random hexidecimal.
This .dll file is the main Trojan component; it is packed using UPX, and is 17920 bytes in size.
When the .dll file is loaded, the executable component copies itself to the Windows system directory under a name which is a string of symbols chosen at random.
It creates the mutex 00:24:03:54A9D in the computer memory to flag its presence in the system, and writes itself to the system registry as an auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
"[Random key name]" = "[Path to executable file]"
The key name is a random number in hexidecimal format.
Payload
The Trojan receives commands from web-servers, making it possible for:
the current version of the Trojan to be updated
programs to be downloaded to the victim machine, and then executed
the Trojan to propagate using a vulnerability in Microsoft LSASS
mass mailings to be carried out from the victim machine
the author of the program to get information about the victim machine

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Agent.b

Description Backdoor.Agent.b

Agent.b is a classic Trojan backdoor that opens the infected machine to remote access. This backdoor is a Windows PE exe file written in Visual C.
Agent.b is packed with two packers: Morphine and UPX. The packed file size is 38 KB and unpacked - 104 KB.
Agent.b is controlled over IRC channels. The controller can download and execute files on the infected machine.
Payload
Agent.b opens a random port in the 1xxx range for about a second, and then continues opening the next port in ascending numerical order. The infected machine sees only ports 'blinking' in ascending order.
Removal
If you know the name of the file containing the Backdoor, you can delete it after you stop the active processes in RAM using the Windows Task Manager. Once you have deleted the process, you can then delete the file.
If you cannot identify the name of the active process, you need to install a firewall, such as Kaspersky Anti-Hacker, which will monitor open ports and provide a log.

Backdoor.Agobot.a

Description Backdoor.Agobot.a

Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:
will not work with a debugger running or under Vmware
it can run both as a standard application and as a service (when running under Windows NT/2000/XP)
when copying itself to the Windows system folder (on first being launched) it attmepts to encode the copy and write the decoder to the body of the copy (polymorphic code)
adds to the HOSTS file the IP address 127.0.0.1 for the sites of some antivirus companies (to hinder the updating of antivirus databases)
monitors the network and copies all interesting packets (e.g. packets containing passwords for FTP servers, e-payment systems such as PayPal etc.)
scans other computers for the presence of common vulnerabilities such as DCOM RPC, UpnP, WebDAV and others, and then installs itself on the vulnerable machine
searches the victim machine for AOL logs, passwords for certain computer games, and email addresses, and sends all this information to its author/ user
conducts DoS attacks (SYN-flood, Targa and others)
launches proxy servers on the victim machine (HTTP, HTTPS, SOCKS, BNC and others)
expedites the uploading of additional modules (plug-ins)

Home