Win32/Agent.BEA

Created: 2009-09-10, 16:33:38
Last updated on: 2010-11-26, 09:43:48

Platform: Win32 Type: trojan Size: 40448
Date: 2008-12-12

Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...

Naming

The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus naming
Avast Win32:Agent-LMG
AVG SHeur.CREY
Avira TR/Agent.aqo.63
BitDefender Trojan.Generic.1227741
e-Trust Win32/Cropo.C
F-PROT W32/Downloader_Small.B!Gen
Fortinet W32/Alureon.fam!tr
F-Secure Packed:W32/TDSS.gen!F
Ikarus Trojan.Win32.Alureon
Kaspersky Trojan.Win32.Small.yre
McAfee DNSChanger.ac
NOD32 (ESET) Win32/Agent.BEA
Microsoft Trojan:Win32/Cropo.gen!A
Norton Antivirus Downloader
Panda Generic Trojan
Rising Antivirus Trojan.Proxy.Win32.Agent.mh
Sophos Troj/Agent-GMX
Trend Micro WORM_ALUREON.DEN
VirusBuster Trojan.Alureon.Gen!Pac

Installation

The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The Win32/Agent.BEA trojan in the Windows folder (default: C:\Windows) creates the vmmreg32.exe files.

The Win32/Agent.BEA trojan in the Windows System32 folder (default: C:\Windows\System32) creates the rasphone.dll files.


image image

Win32/Agent.BEA trojan creates the following entries in the registry or modifies it (if it exists already):

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Microsoft Visual Studio"="C:\WINDOWS\vmmreg32.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\WINDOWS\system32\rasphone.dll"

image image

Backdoor

Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

It connects to the s2.jorbanblack.com web page.