McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AXJ.gen (polymorphic variant)

• Backdoor.Berbew (NAV)

• Webber

Characteristics

-- Update June 25, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention, for example:

http://www.heise.de/security/news/meldung/48589
or
http://www.uscert.gov/current/current_activity.html

The media attention concerns recent IIS website hacks which have been performed in order to install this backdoor trojan on victim machines. For further details concerning vulnerable IIS servers and IE clients, see the following link:

http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 24, 2004 --
Several websites were recently hacked to serve exploit script code that results in a new polymorphic variant of BackDoor-AXJ being installed.

Earlier variants of this remote access trojan were likely to be downloaded via a downloader trojan (detected as Downloader-DI ). Multiple versions of the downloader are known to have been spammed to users.

Multiple versions of this remote access trojan are known to exist, users are recommended to use the Daily DATs for optimal detection.

Once running on the victim machine, the trojan serves multiple functions:

• acts as a web proxy
• can check remote server for updates
• cached passwords on the victim machine are logged (for sending to hacker)

When it is run, the remote access trojan installs itself into %SysDir% (eg. C:\WINNT\SYSTEM32) with a random 8 character filename. A DLL is also dropped into this directory, again with a seemingly random 8 character filename. For example:

Two ports are opened on the victim machine. Exact port numbers used vary between variants. One is used for the web proxy, the other for communication. Ports used in samples seen thus far include:

• 7714
• 8546
• 12334
• 12324

Notification is sent to the hacker via HTTP, sending data to a remote PHP script. This data includes IP of machine, plus port numbers opened. It also includes as "identification string" - presumably used to validate communication to trojan.

System startup is hooked (via the dropped DLL) by the following Registry modifications.

Once running, other data files are written to the victim machine (%SysDir%). These files have filename NTXGL16 with DAT, SYS and VxD extensions, for example:

• C:\WINNT\SYSTEM32\NTXGL16.DAT - used for storing cached passwords retrieved from the victim machine, prior to sending to hacker.
• C:\WINNT\SYSTEM32\NTXGL16.SYS
• C:\WINNT\SYSTEM32\NTXGL16.VXD - contains contents of a remote data file which is retrieved (via HTTP) by the trojan.

Installation

The following values:

To the following key:

Symptoms

• existence of Registry keys files detailed above
• Ports 7714 and 8546 open on victim machine

Method of Infection

Earlier variants of this remote access trojan are likely to be downloaded via Downloader-DI which is known to have been spammed to users.

-- Update June 25th 2004 --
A new polymorphic variant of this is likely to be installed when the victim browses a specifically-hacked IIS website (see above).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AXJ.gen (polymorphic variant)

• Backdoor.Berbew (NAV)

• Webber

Characteristics

Characteristics -

-- Update June 25, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention, for example:

http://www.heise.de/security/news/meldung/48589
or
http://www.uscert.gov/current/current_activity.html

The media attention concerns recent IIS website hacks which have been performed in order to install this backdoor trojan on victim machines. For further details concerning vulnerable IIS servers and IE clients, see the following link:

http://www.microsoft.com/security/incident/download_ject.mspx

-- Update June 24, 2004 --
Several websites were recently hacked to serve exploit script code that results in a new polymorphic variant of BackDoor-AXJ being installed.

Earlier variants of this remote access trojan were likely to be downloaded via a downloader trojan (detected as Downloader-DI ). Multiple versions of the downloader are known to have been spammed to users.

Multiple versions of this remote access trojan are known to exist, users are recommended to use the Daily DATs for optimal detection.

Once running on the victim machine, the trojan serves multiple functions:

• acts as a web proxy
• can check remote server for updates
• cached passwords on the victim machine are logged (for sending to hacker)

When it is run, the remote access trojan installs itself into %SysDir% (eg. C:\WINNT\SYSTEM32) with a random 8 character filename. A DLL is also dropped into this directory, again with a seemingly random 8 character filename. For example:

Two ports are opened on the victim machine. Exact port numbers used vary between variants. One is used for the web proxy, the other for communication. Ports used in samples seen thus far include:

• 7714
• 8546
• 12334
• 12324

Notification is sent to the hacker via HTTP, sending data to a remote PHP script. This data includes IP of machine, plus port numbers opened. It also includes as "identification string" - presumably used to validate communication to trojan.

System startup is hooked (via the dropped DLL) by the following Registry modifications.

Once running, other data files are written to the victim machine (%SysDir%). These files have filename NTXGL16 with DAT, SYS and VxD extensions, for example:

• C:\WINNT\SYSTEM32\NTXGL16.DAT - used for storing cached passwords retrieved from the victim machine, prior to sending to hacker.
• C:\WINNT\SYSTEM32\NTXGL16.SYS
• C:\WINNT\SYSTEM32\NTXGL16.VXD - contains contents of a remote data file which is retrieved (via HTTP) by the trojan.

Installation

The following values:

To the following key:

Symptoms

Symptoms -

• existence of Registry keys files detailed above
• Ports 7714 and 8546 open on victim machine

Method of Infection

Method of Infection -

Earlier variants of this remote access trojan are likely to be downloaded via Downloader-DI which is known to have been spammed to users.

-- Update June 25th 2004 --
A new polymorphic variant of this is likely to be installed when the victim browses a specifically-hacked IIS website (see above).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A