McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.

The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.

Details of the recent attack are as follows. Compromised systems contain the following files:

%WinDir%\system32\csrsv.exe	Stealther trojan
%WinDir%\system32\csrsu.exe	ExeStealth packed BackDoor-TC trojan
c:\update.exe	MS03-026 patch

The following registry keys are present:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSWIN1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSWIN1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSWIN1

The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks.

Symptoms

- MS03-026 vulnerable systems mysteriously getting patched
- Unexpected TCP ports left open

Method of Infection

This trojan is being installed by exploiting vulnerable systems. In at least one case, a Windows task has been scheduled to fetch the trojan files from a remote server.

Removal

All Windows Users :
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Manual Removal Instructions

• Restart Windows in Safe Mode.
• Delete the registry keys mentioned above
• Delete the files mentioned above
• Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.

The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.

Details of the recent attack are as follows. Compromised systems contain the following files:

%WinDir%\system32\csrsv.exe	Stealther trojan
%WinDir%\system32\csrsu.exe	ExeStealth packed BackDoor-TC trojan
c:\update.exe	MS03-026 patch

The following registry keys are present:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSWIN1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSWIN1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSPX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSWIN1

The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks.

Symptoms

Symptoms -

- MS03-026 vulnerable systems mysteriously getting patched
- Unexpected TCP ports left open

Method of Infection

Method of Infection -

This trojan is being installed by exploiting vulnerable systems. In at least one case, a Windows task has been scheduled to fetch the trojan files from a remote server.

Removal -

Removal -

All Windows Users :
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Manual Removal Instructions

• Restart Windows in Safe Mode.
• Delete the registry keys mentioned above
• Delete the files mentioned above
• Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A