McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

If you receive a detection for HackerDefender, please submit a sample to Avert.

This detection covers several versions of a rootkit for WindowsNT/2000/XP. The purpose of this rootkit is to give an attacker remote access to the compromised system by creating a remote shell. This rootkit hooks the operating system at a very low level, allowing it to conceal its presence very effectively. Once installed, the rootkit is capable of hiding files, processes, services, and registry information. This kit uses an INI file, allowing the attacker to customize various aspects of the trojan. Such as:

• Specify files, directories, processes, services, and registry keys to hide
• Backdoor password
• Service name, display name, and description
• Program to execute after the rootkit has run

The rootkit monitors all incoming TCP port traffic. If the traffic is identified as being sent by the rootkit client component, it is verified as having the correct password, and then passed to the remote shell. For example, if an IIS web server is running on a compromised system, an attacker can connect to the backdoor on port 80. Since the trojan is intercepting the traffic before the IIS server has access to it, IIS never sees the packets. This enables the trojan to bypass the firewall.

The trojan has a port redirector component, which works under WindowsNT.

Update - Feb 18th 2003:
McAfee products using the 4246 DATs incorrectly report certain innocent DLL files as 'trojan or variant HackerDefender'. This was corrected in the 4247 DATs.

The innocent files affected are DLLs related to image analysis software. The following DLLs are known to be incorrectly flagged with the 4246 DATs:

• MILCOR.DLL (v6.10.0.186, 626,960 bytes)
• MILCOR.DLL (v6.01.00.727, 590,096 bytes)
• MILVGA.DLL (v6.10.00.1618, 348,432 bytes)
• MILVGA.DLL (v6.01.00.902, 319,760 bytes)
• MILGEN.DLL (v6.10.00.1257, 426,256 bytes)

These DLLs are completely unrelated to the HackerDefender rootkit.

Symptoms

There are no obvious signs of infection.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Submit a copy of the detected file to AVERT for further instructions.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

If you receive a detection for HackerDefender, please submit a sample to Avert.

This detection covers several versions of a rootkit for WindowsNT/2000/XP. The purpose of this rootkit is to give an attacker remote access to the compromised system by creating a remote shell. This rootkit hooks the operating system at a very low level, allowing it to conceal its presence very effectively. Once installed, the rootkit is capable of hiding files, processes, services, and registry information. This kit uses an INI file, allowing the attacker to customize various aspects of the trojan. Such as:

• Specify files, directories, processes, services, and registry keys to hide
• Backdoor password
• Service name, display name, and description
• Program to execute after the rootkit has run

The rootkit monitors all incoming TCP port traffic. If the traffic is identified as being sent by the rootkit client component, it is verified as having the correct password, and then passed to the remote shell. For example, if an IIS web server is running on a compromised system, an attacker can connect to the backdoor on port 80. Since the trojan is intercepting the traffic before the IIS server has access to it, IIS never sees the packets. This enables the trojan to bypass the firewall.

The trojan has a port redirector component, which works under WindowsNT.

Update - Feb 18th 2003:
McAfee products using the 4246 DATs incorrectly report certain innocent DLL files as 'trojan or variant HackerDefender'. This was corrected in the 4247 DATs.

The innocent files affected are DLLs related to image analysis software. The following DLLs are known to be incorrectly flagged with the 4246 DATs:

• MILCOR.DLL (v6.10.0.186, 626,960 bytes)
• MILCOR.DLL (v6.01.00.727, 590,096 bytes)
• MILVGA.DLL (v6.10.00.1618, 348,432 bytes)
• MILVGA.DLL (v6.01.00.902, 319,760 bytes)
• MILGEN.DLL (v6.10.00.1257, 426,256 bytes)

These DLLs are completely unrelated to the HackerDefender rootkit.

Symptoms

Symptoms -

There are no obvious signs of infection.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Submit a copy of the detected file to AVERT for further instructions.

Variants

Variants -

N/A