How to Prevent and Remove the Backdoor.Win32.Agent.bavr
 

Bookmark and Share

 

1. What is the Backdoor.Win32.Agent.bavr
 

Backdoor.Win32.Agent.bavr is an infamous backdoor technology that usually appears in the form of an installed program or a modification to an existing program or hardware device. Backdoor.Win32.Agent.bavr is designed to secretly track and gather the user’s personal or confidential information for illegal profits by managing to get illicit remote access to the user’s computer. If your computer has been infected by Backdoor.Win32.Agent.bavr, it is impossible to remove Backdoor.Win32.Agent.bavr manually due to its complicated structure. To eternally and effectively remove Backdoor.Win32.Agent.bavr with just one click, the best way is to install a Backdoor.Win32.Agent.bavr Remover into your computer.

 

2.Technical Details:

 

a. The following files were created in the system:

 

# Filename(s) File Size
1 %AppData%\FlexibleSoft\wincrtcrt41\msftcore.dat 770 bytes
2 %AppData%\FlexibleSoft\wincrtcrt41\msftcore.dll 108,032 bytes
3 %AppData%\FlexibleSoft\wincrtcrt41\msftdm.exe
%AppData%\FlexibleSoft\wincrtcrt41\msftdm32.exe
%Temp%\msftdm.exe
%Temp%\msftdm32.exe		 2,560 bytes
4 %AppData%\FlexibleSoft\wincrtcrt41\msfteml.dll 90,112 bytes
5 %AppData%\FlexibleSoft\wincrtcrt41\msftldr.dll 59,392 bytes
6 %AppData%\FlexibleSoft\wincrtcrt41\msftmod.dat
%Temp%\msftmod.dat 		24 bytes
7 %AppData%\FlexibleSoft\wincrtcrt41\msftstp.exe 31,232 bytes
8 %AppData%\FlexibleSoft\wincrtcrt41\msfttcp.dll 37,888 bytes
9 %Temp%\msftcore.dat 671 bytes
10 %Temp%\msftcore.dll 54,446 bytes
11 %Temp%\msfteml.dll 46,824 bytes
12 %Temp%\msftldr.dll 29,833 bytes
13 %Temp%\msftstp.exe 15,526 bytes
14 %Temp%\msfttcp.dll 19,021 bytes
15 [file and pathname of the sample #1] 210,432 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. The following directory was created:

%AppData%\FlexibleSoft\wincrtcrt41

c.  Registry Modifications

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\MSoftware
    • HKEY_CURRENT_USER\Software\MSoftware
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\MSoftware]
      • Hidden = 01 00 00 00
      • InstallPath = "%UserProfile%\APPLIC~1\FLEXIB~1\WINCRT~1"
    • [HKEY_CURRENT_USER\Software\MSoftware]
      • Hidden = 01 00 00 00
      • InstallPath = "%UserProfile%\APPLIC~1\FLEXIB~1\WINCRT~1"
  • The following Registry Value was modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
      • AppInit_DLLs =

  • d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    209.191.122.70 80
    89.149.223.252 80

    • The data identified by the following URLs was then requested from the remote web server:

      • http://www.yahoo.com/
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLL1OPyyhmmqCpS-hxSYa4MUALbIlFgZBpfsOOsgzlMm-E
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLyTCtzpWV18cnmEgteto04B-79mi8ZK7U5lmSD6ktUT0
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLmks5V0FCgHcHyiqabb0MkoiBFTitno6b78xzCkyLxCA
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLL0YZNVyi-N89qsI9ZeEYAfruJKz1BsvVEv-fbRJwZyVE
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLmAPSZyYYBoXJGuh0y5QcQi1w9YjKeOjRctDHIIioaAs
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLL5-b-auvdhdy56YSYr4xhHX9t5L5ok1Px_0LdjI0o9iw
      • http://ade34ea82c4f7f2f.net/data.cgi
      • http://ade34ea82c4f7f2f.net/data.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=hOq2Jl2gDnilAr2ZkdkjnbSVzjWMWH7kQC5qhx3Abhd3N1m2BNVc0dBqZpztetHOo4BNHBa7TJhjQ1CXcd6_xYfn6eLaT1xzoBeuU2hNPIa6t5FRb8Q3-rKiH2E9x25b
      • http://ade34ea82c4f7f2f.net/data.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=l9Abzj2UT9pGNomSzmkbEjnwpLI40SspuaWcrBq7RzFI-wt7FQE7zxhmU_eLrmyg8-yCwq8cTUt6FxrcYwYL9g
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLhwCcznGOvUCDjjO0nl22MZG9Bb9435FCaDbIdxd9bFY
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLj-1S3-y-5U9ipl_9y4fdoqcVEHAdb8wILlz6C4xfyj0
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLiKtIjyfpP4ms-O4NBhbfzcinh5a-UwzC0dog2xvmJ58
      • http://ade34ea82c4f7f2f.net/get.cgi?27cd57c5ea7ee97b9f51ab6287c126fb=do1hlXbab7oPrHqbZAqqfceKdX4MlsO-3VP52C8tISNnKAJow1tqZjtiXSpxogLLmf3Na13TqEKDP4PVAwmlN81reKChufXOkTFEQYpgYU4

     

    3. How-to's

    a. How to prevent the  Backdoor.Win32.Agent.bavr ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Backdoor.Win32.Agent.bavr Manually?

    Step 1 : Remove the registry entries hidden by Backdoor.Win32.Agent.bavr.

    HKEY_LOCAL_MACHINE\SOFTWARE\MSoftware
    HKEY_CURRENT_USER\Software\MSoftware

    [HKEY_LOCAL_MACHINE\SOFTWARE\MSoftware]
    Hidden = 01 00 00 00
    InstallPath = "%UserProfile%\APPLIC~1\FLEXIB~1\WINCRT~1"
    [HKEY_CURRENT_USER\Software\MSoftware]
    Hidden = 01 00 00 00
    InstallPath = "%UserProfile%\APPLIC~1\FLEXIB~1\WINCRT~1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs =

    Step2: Remove all the files associated with Backdoor.Win32.Agent.bavr.

    %AppData%\FlexibleSoft\wincrtcrt41\msftcore.dat
    %AppData%\FlexibleSoft\wincrtcrt41\msftcore.dll
    %AppData%\FlexibleSoft\wincrtcrt41\msftdm.exe
    %AppData%\FlexibleSoft\wincrtcrt41\msftdm32.exe
    %Temp%\msftdm.exe
    %Temp%\msftdm32.exe
    %AppData%\FlexibleSoft\wincrtcrt41\msfteml.dll
    %AppData%\FlexibleSoft\wincrtcrt41\msftldr.dll
    %AppData%\FlexibleSoft\wincrtcrt41\msftmod.dat
    %Temp%\msftmod.dat
    %AppData%\FlexibleSoft\wincrtcrt41\msftstp.exe
    %AppData%\FlexibleSoft\wincrtcrt41\msfttcp.dll
    %Temp%\msftcore.dat
    %Temp%\msftcore.dll
    %Temp%\msfteml.dll
    %Temp%\msftldr.dll
    %Temp%\msftstp.exe
    %Temp%\msfttcp.dll
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•