W32/Agent.bu

Type: Trojan
Size: 12660 Byte
System Affected: Windows98, 95, Me, 2000, Xp, NT
Others Known As:

Trojan-Proxy.Win32.Agent.da ( Kaspresky ) W32.Buchon.A@mm (Norton)

Characteristics :

1) Opens a backdoor on TCP port 28000 - 28500 which allows the infected computer to be used as an email relay.


2) Uses its own SMTP engine to send infected email with following characteristics:

2-1) The email has the follwing characterictics :

From :

◊ [spoofed] email address taken at random from an email address collected from computer

Subject :

◊ Mail Delivery failure - [email_address@domain.com]

Body :

If the message will not displayed automatically, you can check original in attached message.txt.

Failed message also saved at: www.[domain.com]/inbox/security/read.asp?sessionid-(random 4 digit number)
(check attached instructions)

Attachment :

◊ "message txt (random number of spaces) mcafee.com"


2-2) Retrieves email addresses from the files with the following extensions:


.dat .dbx .eml .mbx .mdb
.tbb .wab

3) Create the following files :

◊ %root%\csrss.exe

Copyright © 1994-2008 Imen Computer Virology Laboratory I.C.V.L .
All Rights Reserved .
Mehran Rayaneh Engineering Co.