McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

1. HTTP request to a public script library in order to send an email
2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

• Registry key name
• installed filename
• hooking method (INI file or Registry)
• notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

• browse remote filesystem
• upload/download files
• delete/execute files
• modify system settings (resolution, background)
• browse/kill running processes
• browse/edit Windows Registry
• start/stop additional components (keylogger, webcam capture etc.)
• display message-box
• open/close CD-tray

Symptoms

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Once the server component is installed on the vicim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

1. HTTP request to a public script library in order to send an email
2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

• Registry key name
• installed filename
• hooking method (INI file or Registry)
• notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

• browse remote filesystem
• upload/download files
• delete/execute files
• modify system settings (resolution, background)
• browse/kill running processes
• browse/edit Windows Registry
• start/stop additional components (keylogger, webcam capture etc.)
• display message-box
• open/close CD-tray

Symptoms

Symptoms -

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Method of Infection -

Once the server component is installed on the vicim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

N/A