Content
BackDoor-AQL
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 02/25/2003
- Length
- 32,768 bytes (cli)
24,576 bytes (svr) - Minimum DAT
- 4251 (03/05/2003)
- Updated DAT
- 4251 (03/05/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 02/25/2003
- Description Modified
- 03/06/2003 7:49 AM (PT)
Tab Navigation
Characteristics
This threat, as with most remote access trojans, consists of 2 components: the client and server. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component.
When run on the victim machine, the server component opens a TCP socket accepting commands sent from the client on port 2003. Ulikely most others backdoor servers, this specific variant does not copy itself to any system folder nor does it add a hook to the Registry.
The client component offers many functions to the hacker:
- Sending popup messages
- Executing any DOS command
- Playing, stopping, opening closing the CD
- Force the user to log off
- Disabling double-click on the victim machine
- Opening specific websites with the browser
Symptoms
The indications of the presence of this trojan are typical for infection by remote access trojan:
- TCP port 2003 open (LISTENING mode) on the victim machine.
- Unusual behaviour on victim machine, explainable by unauthorised remote administration.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This threat, as with most remote access trojans, consists of 2 components: the client and server. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component.
When run on the victim machine, the server component opens a TCP socket accepting commands sent from the client on port 2003. Ulikely most others backdoor servers, this specific variant does not copy itself to any system folder nor does it add a hook to the Registry.
The client component offers many functions to the hacker:
- Sending popup messages
- Executing any DOS command
- Playing, stopping, opening closing the CD
- Force the user to log off
- Disabling double-click on the victim machine
- Opening specific websites with the browser
Symptoms
Symptoms -
The indications of the presence of this trojan are typical for infection by remote access trojan:
- TCP port 2003 open (LISTENING mode) on the victim machine.
- Unusual behaviour on victim machine, explainable by unauthorised remote administration.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
