Content

Generic BackDoor

Type
Trojan
SubType
Remote Access
Discovery Date
Length
N/A
Minimum DAT
N/A (11/07/2009)
Updated DAT
5795 (11/07/2009)
Minimum Engine
5.1.00
Description Added
02/03/2003
Description Modified
12/02/2003 2:06 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

  1. HTTP request to a public script library in order to send an email
  2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

  • Registry key name
  • installed filename
  • hooking method (INI file or Registry)
  • notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

  • browse remote filesystem
  • upload/download files
  • delete/execute files
  • modify system settings (resolution, background)
  • browse/kill running processes
  • browse/edit Windows Registry
  • start/stop additional components (keylogger, webcam capture etc.)
  • display message-box
  • open/close CD-tray

Symptoms

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Once the server component is installed on the vicim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

  1. HTTP request to a public script library in order to send an email
  2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

  • Registry key name
  • installed filename
  • hooking method (INI file or Registry)
  • notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

  • browse remote filesystem
  • upload/download files
  • delete/execute files
  • modify system settings (resolution, background)
  • browse/kill running processes
  • browse/edit Windows Registry
  • start/stop additional components (keylogger, webcam capture etc.)
  • display message-box
  • open/close CD-tray

Symptoms

Symptoms -

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Method of Infection -

Once the server component is installed on the vicim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A