Content

BackDoor-ASR

Type
Trojan
SubType
Remote Access
Discovery Date
04/10/2003
Length
16,384 (svr)
Minimum DAT
4258 (04/16/2003)
Updated DAT
4691 (02/07/2006)
Minimum Engine
5.1.00
Description Added
04/10/2003
Description Modified
04/10/2003 8:25 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a remote access trojan. It consists a client and a server program. It uses pipes to allow remote execution of commands.

The client program requires remote machine ip address, user name and password to run. The remote machine must be nt/xp/2000. If valid connection is made, a server program is installed as service on the remote machine. The service name used is "PipeCmdSrv". The server is copied to c:\windows\system32\PipeCmdSrv.exe

The server Checks for the following named Pipes:

  • \\.\pipe\PipeCmd_communicaton
  • \\.\pipe\PipeCmd_stderr
  • \\.\pipe\PipeCmd_stdin
  • \\.\pipe\PipeCmd_stdout
It redirects information from the communication pipe to the command, "cmd.exe /q /c.". The client can then send commands to the remote machine.

Symptoms

The existence of the file and service mentioned above.

Method of Infection

Hacker uses guessed username and password to install trojan.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.Fluxay (Symantec)
  • Bck/Xayflu.srv (Panda)
  • BKDR_FLUXAY.A (Trend)

Characteristics

Characteristics -

This is a remote access trojan. It consists a client and a server program. It uses pipes to allow remote execution of commands.

The client program requires remote machine ip address, user name and password to run. The remote machine must be nt/xp/2000. If valid connection is made, a server program is installed as service on the remote machine. The service name used is "PipeCmdSrv". The server is copied to c:\windows\system32\PipeCmdSrv.exe

The server Checks for the following named Pipes:

  • \\.\pipe\PipeCmd_communicaton
  • \\.\pipe\PipeCmd_stderr
  • \\.\pipe\PipeCmd_stdin
  • \\.\pipe\PipeCmd_stdout
It redirects information from the communication pipe to the command, "cmd.exe /q /c.". The client can then send commands to the remote machine.

Symptoms

Symptoms -

The existence of the file and service mentioned above.

Method of Infection

Method of Infection -

Hacker uses guessed username and password to install trojan.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A