Home / malware Agent.BAO
First posted on 01 March 2007.
Source: SecurityHomeAliases :
Agent.BAO is also known as Trojan-Downloader.Win32.Agent.bao, Trojan.Downloader.Agent.ACT, TR/Dldr.Agent.bao.
Explanation :
Agent.BAO, a variant of Agent, is a Trojan. Agent.BAO downloads different trojans and backdoors and activate them on an affected system without user's approval.
Upon execution, it drops a copy of itself from the following location:
- %sysdir%SVCH0ST.exe
It also creates a service with the following service name:
- 000Kendy Demo Service
It adds the following service registry entry:
- [HKLMSystemCurrentControlSetServices�00Kendy Service]
ImagePath=%sysdir%svch0st.exe
It downloads a text file from the following site:
- http://kkpic.net/ggg/adc/[REMOVED].txt
This text file contains download links of other malware.
Below is the list of some of the download sites gathered and the corresponding detection name of the downloaded files:
- http://222.220.16.185/data6/j[REMOVED].exe
- Packed.Win32.NSAnti.b - http://222.220.16.185/data6/w[REMOVED].exe
- Trojan-PSW.Win32.Lmir.bdb - http://222.220.16.185/data6/m[REMOVED].exe
- Trojan-Downloader.Win32.Small.bxa - http://222.220.16.185/data6/w[REMOVED].exe
- Trojan-PSW.Win32.Agent.im - http://222.220.16.185/data6/m[REMOVED].exe
- Trojan-PSW.Win32.Delf.fz - http://222.220.16.185/data6/j[REMOVED].exe
- Backdoor.Win32.Agent.aex - http://222.220.16.185/data6/w[REMOVED].exe
- Backdoor.Win32.Agent.aex - http://222.220.16.185/data6/z[REMOVED].exe
- Trojan-PSW.Win32.WOW.qm - http://222.220.16.185/data6/q[REMOVED].exe
- Trojan-PSW.Win32.QQPass.hn - http://222.220.16.185/data6/c[REMOVED].exe
- Trojan-Dropper.Win32.Agent.ayv
Note: The download links may vary depending on the content of the downloaded text file.
Moreover, Agent.BAO also creates a file named autorun.inf in the directory where the copy of the trojan is located. This is used to automatically execute the trojan when the folder is opened.
Last update 01 March 2007