|Typical Symptoms||Information leak|
|Discovered|| [korea] 0000-00-00
|Scan engine needed||
2011-08-09 [Able to detect & repair]
Backdoor.Win32.S.Agent.49699 does not spread out as itself and it is downloaded from hacked site or other malicious codes such as Spyware, Adware, Dropper, and etc.
1) Backdoor.Win32.S.Agent.49699 is a variant of remote tool, ghost RAT.
2) Backdoor.Win32.S.Agent.49699 runs by loading to RUNDLL32.EXE.
[PIC 1] rundll32.exe Load
3) Backdoor.Win32.S.Agent.49699 runs by registering to service.
[PIC 2] Add to registry
4) Backdoor.Win32.S.Agent.49699 performs malicious actions such as print screen, file transfer, keyboard & mouse control and etc.
[PIC 3] Print screen
[PIC 4] Keyboard & Mouse control
[PIC 5] Data transfer
[PIC 6] File transfer type
5) Backdoor.Win32.S.Agent.49699 seems to access to a C&C server which is located in China and does additional malicious actions via remote session.
[PIC 7] Network access
[How to repair]
Reparable by ViRobot engine ver.2011-08-09.03 or above.