Content

BackDoor-AUI

Type
Trojan
SubType
Remote Access
Discovery Date
05/06/2003
Length
Varies (approx 380kB - UPX-packed)
Minimum DAT
4266 (05/21/2003)
Updated DAT
4285 (08/13/2003)
Minimum Engine
5.1.00
Description Added
06/10/2003
Description Modified
06/10/2003 5:40 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for an IRC-based remote access trojan written in Borland Delphi (most likely UPX packed). There are multiple versions of this threat - users are recommended to use the latest engine/DATs for optimal detection.

Once run on the victim machine the following ports are opened:

  • 21 (ftp) - for file upload/download
  • 1090 - for transfer of commands

The trojan installs itself on the victim machine in %SysDir%:

%SysDir%\DIRECTX.EXE (approx 375-380 kB)

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"directx.exe" = %SysDir%\DIRECTX.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINNT\SYSTEM32).

Once running the trojan attempts to connect to a remote IRC server (destination port 6667), to join a channel and accept commands, such as the following:

  • info (retrieves information from the victim machine, eg. Video, Memory, IP etc)
  • reboot
  • killbot
  • ftpport (change ftp port used)
  • attacks on/off

The following Registry key is added (for maintaining configuration details):

HKEY_LOCAL_MACHINE\Software\ColdVision
"update" = (config data - server version?)

The trojan bears similarities to DDoS-SQLhuc. It is likely that this is a later creation with more functionality.

Symptoms

  • Presence of the Registry keys and files detailed above
  • Unexpected traffic to a remote server (destination port 6667)
  • Ports 21 (ftp) and 1090 unexpectedly open

Method of Infection

This IRC trojan installs itself on the victim machine when it is executed. Once running, commands are received via an IRC channel. The hacker is able to upload files to the victim machine via the ftp port (21) which the trojan opens.

Strings within the trojan suggest it is capable of responding to commands related to it spreading over the local network. Upon the relevant command, a batch script may be written to the victim machine which attempts to connect to poorly secured shares on remote machines. The following username/password combinations are within the trojan:

Username Password
  administrator
admin admin
admin administrator
administrator administrator
changeme administrator
pass administrator
password administrator
root root
temp123 administrator
temp administrator
test123 administrator
test administrator
test test

If successful, the batch script is intended to copy the trojan to the remote share, and use RemoteProcessLaunch application to remotely execute the file.

Other strings within the trojan suggest it can use a utility (referenced as "SQLSCAN.EXE") to scan for remote vulnerable SQL servers.

Please note: Neither the RemoteProcessLaunch application nor the scanner for finding vulnerable SQL servers are dropped by the trojan. These (and other) files can be uploaded to the victim machine via the ftp port (21) which is opened when the remote access trojan is running.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.Delf.fw (AVP)

Characteristics

Characteristics -

This detection is for an IRC-based remote access trojan written in Borland Delphi (most likely UPX packed). There are multiple versions of this threat - users are recommended to use the latest engine/DATs for optimal detection.

Once run on the victim machine the following ports are opened:

  • 21 (ftp) - for file upload/download
  • 1090 - for transfer of commands

The trojan installs itself on the victim machine in %SysDir%:

%SysDir%\DIRECTX.EXE (approx 375-380 kB)

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"directx.exe" = %SysDir%\DIRECTX.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINNT\SYSTEM32).

Once running the trojan attempts to connect to a remote IRC server (destination port 6667), to join a channel and accept commands, such as the following:

  • info (retrieves information from the victim machine, eg. Video, Memory, IP etc)
  • reboot
  • killbot
  • ftpport (change ftp port used)
  • attacks on/off

The following Registry key is added (for maintaining configuration details):

HKEY_LOCAL_MACHINE\Software\ColdVision
"update" = (config data - server version?)

The trojan bears similarities to DDoS-SQLhuc. It is likely that this is a later creation with more functionality.

Symptoms

Symptoms -

  • Presence of the Registry keys and files detailed above
  • Unexpected traffic to a remote server (destination port 6667)
  • Ports 21 (ftp) and 1090 unexpectedly open

Method of Infection

Method of Infection -

This IRC trojan installs itself on the victim machine when it is executed. Once running, commands are received via an IRC channel. The hacker is able to upload files to the victim machine via the ftp port (21) which the trojan opens.

Strings within the trojan suggest it is capable of responding to commands related to it spreading over the local network. Upon the relevant command, a batch script may be written to the victim machine which attempts to connect to poorly secured shares on remote machines. The following username/password combinations are within the trojan:

Username Password
  administrator
admin admin
admin administrator
administrator administrator
changeme administrator
pass administrator
password administrator
root root
temp123 administrator
temp administrator
test123 administrator
test administrator
test test

If successful, the batch script is intended to copy the trojan to the remote share, and use RemoteProcessLaunch application to remotely execute the file.

Other strings within the trojan suggest it can use a utility (referenced as "SQLSCAN.EXE") to scan for remote vulnerable SQL servers.

Please note: Neither the RemoteProcessLaunch application nor the scanner for finding vulnerable SQL servers are dropped by the trojan. These (and other) files can be uploaded to the victim machine via the ftp port (21) which is opened when the remote access trojan is running.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A