Home / malwarePDF  

Backdoor:BAT/Agent.H


First posted on 29 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:BAT/Agent.H.

Explanation :

Backdoor:BAT/Agent.H is a trojan that allows backdoor access and control of an affected computer. In the wild, we have observed the trojan dropping TrojanProxy:JS/Banker.L, which may redirect the user's browser traffic through an attacker-controlled proxy server.


Top

Backdoor:BAT/Agent.H is a trojan that allows backdoor access and control of an affected computer. In the wild, we have observed the trojan dropping TrojanProxy:JS/Banker.L, which may redirect the user's browser traffic through an attacker-controlled proxy server.



Installation

When Backdoor:BAT/Agent.H is run, it drops the following files:

  • %UserProfile%\local settings\temp\y.db
  • %UserProfile%\local settings\temp\t <random number>.vbs
  • %UserProfile%\local settings\temp\ <computer name>.txt - detected as TrojanProxy:JS/Banker.L


Payload

Allows backdoor access and control

Backdoor:BAT/Agent.H attempts to connect to the following URL:

sivellongrupp.ee/googles.php?a=<user name>&b=<computer name>

An attacker can perform any number of different actions on an affected computer using this backdoor. This could include, but is not limited to, the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files


The backdoor modifies settings in Mozilla Firefox with the following configuration file:

prefs.js

This allows the backdoor to intercept communication between an infected computer and certain websites, which may result in the theft of log-on credential details or other sensitive information.

Successful execution of these two threats (Backdoor:BAT/Agent.H and TrojanProxy:JS/Banker.L) may result in the following websites being monitored:

  • americanexpress.com
  • americanexpress.com.br
  • bancobrasil.com.br
  • bancodobrasil.com.br
  • bancoreal.com.br
  • bb.com
  • bb.com.br
  • bradesco.com
  • bradesco.com.br
  • bradescoprime.com.br
  • cetelem.com.br
  • citibank.com.br
  • credicard.com.br
  • gmail.com
  • gmail.com.br
  • hotmail.com
  • hotmail.com.br
  • hsbc.com
  • hsbc.com.br
  • itau.com.br
  • itaupersonnalite.com.br
  • itauprivatebank.com.br
  • itauuniclass.com
  • itauuniclass.com.br
  • paypal.com
  • paypal.com.br
  • real.com.br
  • santander.com.br
  • santanderbanespa.com.br
  • santanderempresarial.com.br
  • serasa.com.br
  • serasaexperian.com.br
  • sicredi.com.br
  • tam.com.br


If the user is observed visiting any of the above URLs, the backdoor may contact one of the following proxy servers to facilitate information theft or redirect web traffic:

  • me.firepackets.org:80
  • mi.firepackets.org:80




Analysis by Hyun Choi

Last update 29 February 2012

 

TOP

Malware :

Family: