McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for malware designed to send notification messages to the hacker from the victim machine. The malware comprises various components: server, server editor (for configuration) and scripts (ASP, CGI, PHP).

Notification Server

When the server component is run on the victim machine, it copies itself to that machine (path and location are configurable in the server, default is C:\TEST.EXE) and adds a startup hook into WIN.INI. For example:

An outgoing DNS request is then sent for a remote ICQ server. If satisified, the notification is then sent to the hacker via HTTP using a script on that server. The details contained within the notification are configurable via the configuration component.

Configuration Component

This component enables the hacker to edit the notification server and create servers that notify via SMS, ICQ or ASP/CGI/PHP. Configurable parameters include:

• recipient address (ICQ or cell number)
• message contents
• installation path/filename
• URL for ASP/CGI/PHP script

Symptoms

• outgoing traffic containing notification message
• unexpected WIN.INI hook as described above

Method of Infection

The server installs itself and issues notification when executed on the victim machine.

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for malware designed to send notification messages to the hacker from the victim machine. The malware comprises various components: server, server editor (for configuration) and scripts (ASP, CGI, PHP).

Notification Server

When the server component is run on the victim machine, it copies itself to that machine (path and location are configurable in the server, default is C:\TEST.EXE) and adds a startup hook into WIN.INI. For example:

An outgoing DNS request is then sent for a remote ICQ server. If satisified, the notification is then sent to the hacker via HTTP using a script on that server. The details contained within the notification are configurable via the configuration component.

Configuration Component

This component enables the hacker to edit the notification server and create servers that notify via SMS, ICQ or ASP/CGI/PHP. Configurable parameters include:

• recipient address (ICQ or cell number)
• message contents
• installation path/filename
• URL for ASP/CGI/PHP script

Symptoms

Symptoms -

• outgoing traffic containing notification message
• unexpected WIN.INI hook as described above

Method of Infection

Method of Infection -

The server installs itself and issues notification when executed on the victim machine.

Removal -

Removal -

-

Variants

Variants -

N/A