Win32/Agent.ABF [Threat Name] go to Threat

Win32/Agent.ABF [Threat Variant Name]

Category trojan
Detection created Jul 25, 2006
Detection database version 1678
Aliases Trojan.Win32.Agent.abf (Kaspersky)
  BackDoor-DKH (McAfee)
Short description

Win32/Agent.ABF is a trojan that steals sensitive information.

Installation

The following files are dropped into the %system% folder:

  • CelInDriver.sys
  • windhcp.ocx

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­CelInDrv]
    • "Type" = "1"
    • "ErrorControl" = "0"
    • "Start" = "4"
    • "ImagePath" = "\­??\­%system32%\­CelInDriver.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinDHCPsvc]
    • "Type" = "16"
    • "Start" = "2"
    • "ErrorControl" = "0"
    • "ImagePath" = "%system32%\­rundll32.exe windhcp.ocx,start"
    • "DisplayName" = "Windows DHCP Service"
    • "ObjectName" = "LocalSystem"
    • "Description"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WinDHCPsvc\­Security]
    • "Security"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_CELINDRV]
    • "NextInstance" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_CELINDRV\­0000]
    • "Service" = "CelInDrv"
    • "Legacy" = "1"
    • "ConfigFlags" = "0"
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "CelInDrv"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_CELINDRV\­0000\­Control]
    • "*NewlyCreated*" = "0"
    • "ActiveService" = "CelInDrv"
Information stealing

The trojan collects various information when a certain application is being used.


The trojan can send the information to a remote machine. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.