McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Fluxay (Symantec)

• Bck/Xayflu.srv (Panda)

• BKDR_FLUXAY.A (Trend)

Characteristics

This is a remote access trojan. It consists a client and a server program. It uses pipes to allow remote execution of commands.

The client program requires remote machine ip address, user name and password to run. The remote machine must be nt/xp/2000. If valid connection is made, a server program is installed as service on the remote machine. The service name used is "PipeCmdSrv". The server is copied to c:\windows\system32\PipeCmdSrv.exe

The server Checks for the following named Pipes:

• \\.\pipe\PipeCmd_communicaton
• \\.\pipe\PipeCmd_stderr
• \\.\pipe\PipeCmd_stdin
• \\.\pipe\PipeCmd_stdout

It redirects information from the communication pipe to the command, "cmd.exe /q /c.". The client can then send commands to the remote machine.

Symptoms

The existence of the file and service mentioned above.

Method of Infection

Hacker uses guessed username and password to install trojan.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Fluxay (Symantec)

• Bck/Xayflu.srv (Panda)

• BKDR_FLUXAY.A (Trend)

Characteristics

Characteristics -

This is a remote access trojan. It consists a client and a server program. It uses pipes to allow remote execution of commands.

The client program requires remote machine ip address, user name and password to run. The remote machine must be nt/xp/2000. If valid connection is made, a server program is installed as service on the remote machine. The service name used is "PipeCmdSrv". The server is copied to c:\windows\system32\PipeCmdSrv.exe

The server Checks for the following named Pipes:

• \\.\pipe\PipeCmd_communicaton
• \\.\pipe\PipeCmd_stderr
• \\.\pipe\PipeCmd_stdin
• \\.\pipe\PipeCmd_stdout

It redirects information from the communication pipe to the command, "cmd.exe /q /c.". The client can then send commands to the remote machine.

Symptoms

Symptoms -

The existence of the file and service mentioned above.

Method of Infection

Method of Infection -

Hacker uses guessed username and password to install trojan.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A