Malware type: Backdoor

Aliases: Backdoor.Win32.Agent.ctf (Kaspersky), Proxy-Agent.af.gen (McAfee), Trojan.Asprox (Symantec), BDS/Agent.ctf.15 (Avira), Troj/AgentM-Fam (Sophos), Backdoor:Win32/Agent.ACG (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This backdoor is dropped by other malware. It can also be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, this backdoor drops several files, some of which are also detected as BKDR_ASPROX.B.

It opens port 80 and acts as an HTTP proxy. It then connects to certain sites, and retrieves the connection time for each.

It uploads specific information to the above-mentioned Web sites, using an HTTP POST command. This backdoor also allows a remote malicious user to perform commands on the affected system.

It also retrieves commands and updates from the said sites, by parsing the HTTP page being returned by the server during upload of stolen information. The returned HTTP page is obfuscated. It searches the registry for FTP hosts, user accounts, and passwords.

It gathers email addresses on affected the system. However those addresses should satisfy certain conditions.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 10, 2008 12:27:23 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.