Content

BackDoor-ARR

Type
Trojan
SubType
Remote Access
Discovery Date
03/17/2003
Length
Varies
Minimum DAT
4254 (03/26/2003)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.1.00
Description Added
03/17/2003
Description Modified
09/26/2003 10:14 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update Aug 15, 2003 ---
The risk assessment of this threat was updated to Low-Profiled due to the SearchSecurity.com article Trojan preying on Lovsan hits inboxes .

This trojan was recently spammed to a number of email addresses. Regular detection is included in the 4287 DAT files. The spam message appeared as follows:

From: webmaster@microsoft.com
Subject: updated
Body:
Dear customer:

At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Download the attached update program. To begin the download process, do one of the following:

To download the attached program to your computer for installation at a later time, click Save or Save this program to disk.then run it. If you have any problem ,connect to us immediately.

Attachment:

         
03-26updated.exe (319,670 bytes)

There are several variant of this trojan. Once the server component is run on the victim machine, the hacker is able to connect to and administer that machine.

When run, the trojan installs itself onto the system, copying itself to the System directory. For example, copying itself as C:\WINDOWS\SYSTEM\SVCH0ST.EXE. or SP00LSV.EXE

It creates the following registry keys in order to run at Windows start up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices"winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices"winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

It also creates the following entry in the WIN.INI file in order to run at Windows start up:

run=%SysDir%\SVCH0ST.EXE

run=%SysDir%\SVCH0ST.EXE

The trojan allows actions to be performed on the victim machine including the following:

  • Retrieving victim machine information (especially passwords)
  • Sending messages from the victim machine
  • Opening/closing CD tray
  • Keylogging

Symptoms

The indications of the presence of this trojan are typical for infection by remote access trojan:

  • Unusual/unexpected ports open on machine.
  • Existence of the files and registry entries as detailed above
  • Unusual behavior on victim machine, explainable by unauthorized remote administration.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, SPAM, etc.

This trojan sends email notification to the author alerting them that your system is infected.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.GrayBird (AVP)
  • Backdoor.Graybird (Symantec)
  • Graybird-A
  • Troj/Graybird (Sophos)

Characteristics

Characteristics -

--- Update Aug 15, 2003 ---
The risk assessment of this threat was updated to Low-Profiled due to the SearchSecurity.com article Trojan preying on Lovsan hits inboxes .

This trojan was recently spammed to a number of email addresses. Regular detection is included in the 4287 DAT files. The spam message appeared as follows:

From: webmaster@microsoft.com
Subject: updated
Body:
Dear customer:

At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Download the attached update program. To begin the download process, do one of the following:

To download the attached program to your computer for installation at a later time, click Save or Save this program to disk.then run it. If you have any problem ,connect to us immediately.

Attachment:

         
03-26updated.exe (319,670 bytes)

There are several variant of this trojan. Once the server component is run on the victim machine, the hacker is able to connect to and administer that machine.

When run, the trojan installs itself onto the system, copying itself to the System directory. For example, copying itself as C:\WINDOWS\SYSTEM\SVCH0ST.EXE. or SP00LSV.EXE

It creates the following registry keys in order to run at Windows start up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices"winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices"winlogon" = %SysDir%\SVCH0ST.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "winlogon" = %SysDir%\SVCH0ST.EXE

It also creates the following entry in the WIN.INI file in order to run at Windows start up:

run=%SysDir%\SVCH0ST.EXE

run=%SysDir%\SVCH0ST.EXE

The trojan allows actions to be performed on the victim machine including the following:

  • Retrieving victim machine information (especially passwords)
  • Sending messages from the victim machine
  • Opening/closing CD tray
  • Keylogging

Symptoms

Symptoms -

The indications of the presence of this trojan are typical for infection by remote access trojan:

  • Unusual/unexpected ports open on machine.
  • Existence of the files and registry entries as detailed above
  • Unusual behavior on victim machine, explainable by unauthorized remote administration.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, SPAM, etc.

This trojan sends email notification to the author alerting them that your system is infected.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A