McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Delf.fr (AVP)

• BackDoor.LMR.20 (Dr.Web)

• Win32.LMR.20 (CA)

Characteristics

This is a remote access backdoor trojan. There are several versions of this trojan existed. Newer version requires the latest DAT file for detection.

It creates the following registry key in order to load itself at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "svced" = C:\WINDOWS\SYSTEM\svced.exe

Once the server is running, it opens port 25226, 45672 and listens on these ports. Hacker can use the trojan client program to connect to server and perform the following tasks on victim's machine:

• Configure backdoor server.
• Open/Close CD Rom, start CD-timer.
• Configure keyboard and mouse.
• Configure beep sound, play media file.
• Flash screen, set wallpaper, show/hide desktop, show/hide taskbar, show/hide start button, turn on/off monitor, screen shot etc.
• Display message box.
• Shutdown, restart, log off Windows.
• Chat with other client on the network.
• Open a web page, send mail.
• Clipboard operation.
• Get running processes info, kill process, show/hide windows, etc
• Get local file info, download file from web.
• FTP server, DOS command.
• Get system information.
• Perform print operation.
• Remote registry.
• Reset various system display settings.
• Get remote access connection information.

Symptoms

Existence of the file and registry entry mentioned above. Port 25226, 45672 are left open.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Delf.fr (AVP)

• BackDoor.LMR.20 (Dr.Web)

• Win32.LMR.20 (CA)

Characteristics

Characteristics -

This is a remote access backdoor trojan. There are several versions of this trojan existed. Newer version requires the latest DAT file for detection.

It creates the following registry key in order to load itself at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "svced" = C:\WINDOWS\SYSTEM\svced.exe

Once the server is running, it opens port 25226, 45672 and listens on these ports. Hacker can use the trojan client program to connect to server and perform the following tasks on victim's machine:

• Configure backdoor server.
• Open/Close CD Rom, start CD-timer.
• Configure keyboard and mouse.
• Configure beep sound, play media file.
• Flash screen, set wallpaper, show/hide desktop, show/hide taskbar, show/hide start button, turn on/off monitor, screen shot etc.
• Display message box.
• Shutdown, restart, log off Windows.
• Chat with other client on the network.
• Open a web page, send mail.
• Clipboard operation.
• Get running processes info, kill process, show/hide windows, etc
• Get local file info, download file from web.
• FTP server, DOS command.
• Get system information.
• Perform print operation.
• Remote registry.
• Reset various system display settings.
• Get remote access connection information.

Symptoms

Symptoms -

Existence of the file and registry entry mentioned above. Port 25226, 45672 are left open.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A