Social Networks Follow us on Twitter Like us on Facebook You Tube Channel
Threat Encyclopedia Mobile Page
Quick Links
  • Save & Share
  • Choose your country:
BKDR_AGENT.AGV

Malware type: Backdoor

Aliases: Trojan-Proxy.Win32.Ranky.fn (Kaspersky), Proxy-Piky (McAfee), Backdoor.Ranky.X (Symantec), TR/Proxy.Bary.FL (Avira), Troj/Ranck-EN (Sophos), TrojanProxy:Win32/Ranky.gen (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this backdoor, refer to the Behavior Diagram shown below.

BKDR_AGENT.AGV  Behavior Diagram

Malware Overview

This backdoor arrives as a file downloaded from the Internet by an unsuspecting user when visiting malicious Web sites. It can also arrive as a file dropped by another malware.

It opens random ports to allow a remote malicious user access on an affected system. Once connected, the said remote user can issue certain commands locally on the machine, thus compromising system security.

This backdoor also modifies certain registry entries to do certain file manipulation actions. For one, it hides file extension names to prevent its early detection and consequent removal from the affected system. Secondly, it hides with Hidden and System attributes, usually system files, to increase their chances of accidental deletion or modification. It also attempts to disable the Folder Options in the Tools drop-down menu to prevent the user from undoing its file display set-up.

Furthermore, it disables a number of system services like SharedAccess and NetManager, preventing a user to perform certain activities. It also disables Windows File Protection as part of its malicious routine.

For additional information about this threat, see:

Description created: Jun. 26, 2006 6:54:36 AM GMT -0800


Minimum scan engine version needed: 7.500

Pattern file needed: 3.528.13

Pattern release date: Jun 24, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

Since this malware uses a file name that is also the file name of a legitimate process, it is necessary to use third party process viewers such as Process Explorer, to isolate the malware process itself.

If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking procexp.exe.
  4. In the Process Explorer window, locate the process:
    SERVICES.EXE
  5. Right-click the malware process, and choose Properties.
  6. Check if the value for the Current Directory is the following:
    %Windows%
    (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
  7. If yes, then right-click on the malware process, and click Kill Process Tree.
  8. Close Process Explorer.

*NOTE: On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing and Restoring Autostart Entries from the Registry

Removing and restoring autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft (R) Windows Protected Content Restoration Service =
    "%Windows%\etc\services.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services
  5. In the left panel, locate and delete the key:
    ProtectedContentSvc
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  7. In the right panel, locate the entry:
    Shell = "Explorer.exe %Windows%\etc\services.exe"
  8. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Shell = "Explorer.exe"
  9. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  10. In the right panel, locate the entry:
    Userinit = "%System%\userinit.exe,%Windows%\etc\services.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  11. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Userinit = "%System%\userinit.exe"
  12. In the left panel, double-click the following:
    HKEY_USERS>.DEFAULT>Software>Microsoft>
    Windows NT>CurrentVersion>Windows
  13. In the right panel, locate the entry:
    Load = "%Windows%\etc\services.exe"
  14. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Load = ""

Enabling Services

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Alerter
  2. In the right panel, locate the entry:
    Start = "dword:00000004"
  3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000003"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>ALG
  5. In the right panel, locate the entry:
    Start = "dword:00000004"
  6. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000003"
  7. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>ERSvc
  8. In the right panel, locate the entry:
    Start = "dword:00000004"
  9. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>helpsvc
  11. In the right panel, locate the entry:
    Start = "dword:00000004"
  12. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  13. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Messenger
  14. In the right panel, locate the entry:
    Start = "dword:00000004"
  15. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  16. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>RemoteRegistry
  17. In the right panel, locate the entry:
    Start = "dword:00000004"
  18. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  19. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SamSs
  20. In the right panel, locate the entry:
    Start = "dword:00000004"
  21. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  22. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SENS
  23. In the right panel, locate the entry:
    Start = "dword:00000004"
  24. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  25. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SharedAccess
  26. In the right panel, locate the entry:
    Start = "dword:00000004"
  27. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000003"
  28. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>srservice
  29. In the right panel, locate the entry:
    Start = "dword:00000004"
  30. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  31. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  32. In the right panel, locate the entry:
    SFCDisable = "dword:00000004"
  33. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    SFCDisable = "dword:00000000"
  34. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer
  35. In the right panel, locate and delete the entry:
    NoFolderOptions = "dword:00000001"
  36. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>Advanced
  37. In the right panel, locate the entry:
    Hidden = "dword:00000000"
  38. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Hidden = "dword:00000001"
  39. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>Advanced
  40. In the right panel, locate the entry:
    ShowSuperHidden = "dword:00000000"
  41. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    ShowSuperHidden = "dword:00000001"
  42. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>Advanced
  43. In the right panel, locate the entry:
    HideFileExt = "dword:00000001"
  44. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    HideFileExt = "dword:00000000"
  45. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as BKDR_AGENT.AGV. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.