Content

BackDoor-ATG

Type
Trojan
SubType
Remote Access
Discovery Date
04/21/2003
Length
Varies
Minimum DAT
4260 (04/30/2003)
Updated DAT
4568 (08/26/2005)
Minimum Engine
5.1.00
Description Added
04/21/2003
Description Modified
05/08/2003 5:17 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

McAfee products using the 4.2.40 engine and 4253 DATs (or greater) with program heuristics enabled proactively detect the server component as 'trojan or variant VB-BackDoor2.gen' (assuming scanning of compressed files is enabled).

There are multiple variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is a general guide.

As with most remote access trojans, this threat appears to consists of multiple components: the configuration, client and server components. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component. The configuration component would allow the hacker to create slightly different versions of the trojan.

When run on the victim's machine, the server component installs itself onto the system, typically copying itself to the Windows or System directory. For example, as C:\WINDOWS\SYSTEM\SHELL32EXEC.EXE.

The server component can be used to offer many remote-administration functions to the hacker. These typically include:

  • Opening/closing CD tray
  • Turning on and off speakers
  • Enabling/Disabling Ctrl+Alt+Del
  • Minimizing windows
  • Forcing system log-off/restart/shut-down/power-off
  • Opening the internet browser/Notepad
  • Retrieving/Sending victim machine information (Windows version/Computer name/Environment variables/passwords)

    The server is added to an autostart registry key, though the values vary. Here's an example from one sample AVERT received:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "ctfmon.exe" = %SysDir%\shell32exec.exe

    • Symptoms

    The indications of the presence of this trojan are typical for infection by remote access trojan:

  • Unusual/unexpected ports open on machine. (In the samples received by AVERT this was port 12345)
  • Existence of the files detailed above
  • Unusual behaviour on victim machine, explainable by unauthorised remote administration.

    • Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Characteristics

    Characteristics -

    McAfee products using the 4.2.40 engine and 4253 DATs (or greater) with program heuristics enabled proactively detect the server component as 'trojan or variant VB-BackDoor2.gen' (assuming scanning of compressed files is enabled).

    There are multiple variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is a general guide.

    As with most remote access trojans, this threat appears to consists of multiple components: the configuration, client and server components. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component. The configuration component would allow the hacker to create slightly different versions of the trojan.

    When run on the victim's machine, the server component installs itself onto the system, typically copying itself to the Windows or System directory. For example, as C:\WINDOWS\SYSTEM\SHELL32EXEC.EXE.

    The server component can be used to offer many remote-administration functions to the hacker. These typically include:

  • Opening/closing CD tray
  • Turning on and off speakers
  • Enabling/Disabling Ctrl+Alt+Del
  • Minimizing windows
  • Forcing system log-off/restart/shut-down/power-off
  • Opening the internet browser/Notepad
  • Retrieving/Sending victim machine information (Windows version/Computer name/Environment variables/passwords)

    The server is added to an autostart registry key, though the values vary. Here's an example from one sample AVERT received:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "ctfmon.exe" = %SysDir%\shell32exec.exe

    • Symptoms

    Symptoms -

    The indications of the presence of this trojan are typical for infection by remote access trojan:

  • Unusual/unexpected ports open on machine. (In the samples received by AVERT this was port 12345)
  • Existence of the files detailed above
  • Unusual behaviour on victim machine, explainable by unauthorised remote administration.

    • Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A