McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor-Hackarmy.gen (Kaspersky)

• Win32.Rawbot.AN (CA)

Characteristics

-- Update July 26th 2004 --

The risk assessment for this threat has been updated to Low-Profiled due to media attention at the below link. It is referred to as Bin Laden virus in the article:

http://www.news10.net/storyfull1.asp?id=7654

--

This is a generic detection for this backdoor trojan and covers many variants of this malware.

However, recently this threat has been posted to various Internet newsgroups in a message enticing users to click on the link, which leads to the download of this trojan. The trojan is proactively detected as Backdoor-AZV.gen using 4360 DATs + 4.2.40 engine combination and above, made available since 5/12/2004.

The following message format was posted to various Internet newsgroups:

Subject: Osama Found Hanged
Body:
Osama Bin Ladin was found hanged by two CNN journalists early Wedensday evening.  As evidence they took several photos, some of which i have included here.  As yet, this information has not hit the headlines due to Bush wanting confirmation of his identity but the journalists have released some early photos over the internet..
http://www.theparadisenet.(blocked).net/OsamaFoundDead.zip

Installation

Upon execution, the trojan installs itself into the %WINDIR%\System directory as ZoneLockup.exe.

For example:

C:\Windows\System\ZoneLockup.exe

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "Winsock32driver"
= ZoneLockup.exe

The trojan creates a mutex to ensure only one instance is running

• botsmfdutpex

Remote Access

The trojan attempts to provide remote access to the hacker via two ways.

• Connect to IRC host osama.hackarmy.tk using detination port 6666 or 6667
• Continuously opens a list of ports from port number 2000 onwards on the infected system.

Upon successfully doing so, the following actions can be done:

• download and execute remote file
• infected system acts as socks4 proxy
• terminate processes
• read IRC log file

Symptoms

• Existence of the abovementioned files and registry keys
• Many ports are opened.
• Firewall reports "Generic Host Process for Win32 Services" requesting for access to an unexpected domain (remote port 6666 or 6667):
  • osama.hackarmy.tk

Method of Infection

• Acessing URLS which leads the trojan to be downloaded onto the system
• Receiving it from HTML emails with links to this trojan

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor-Hackarmy.gen (Kaspersky)

• Win32.Rawbot.AN (CA)

Characteristics

Characteristics -

-- Update July 26th 2004 --

The risk assessment for this threat has been updated to Low-Profiled due to media attention at the below link. It is referred to as Bin Laden virus in the article:

http://www.news10.net/storyfull1.asp?id=7654

--

This is a generic detection for this backdoor trojan and covers many variants of this malware.

However, recently this threat has been posted to various Internet newsgroups in a message enticing users to click on the link, which leads to the download of this trojan. The trojan is proactively detected as Backdoor-AZV.gen using 4360 DATs + 4.2.40 engine combination and above, made available since 5/12/2004.

The following message format was posted to various Internet newsgroups:

Subject: Osama Found Hanged
Body:
Osama Bin Ladin was found hanged by two CNN journalists early Wedensday evening.  As evidence they took several photos, some of which i have included here.  As yet, this information has not hit the headlines due to Bush wanting confirmation of his identity but the journalists have released some early photos over the internet..
http://www.theparadisenet.(blocked).net/OsamaFoundDead.zip

Installation

Upon execution, the trojan installs itself into the %WINDIR%\System directory as ZoneLockup.exe.

For example:

C:\Windows\System\ZoneLockup.exe

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "Winsock32driver"
= ZoneLockup.exe

The trojan creates a mutex to ensure only one instance is running

• botsmfdutpex

Remote Access

The trojan attempts to provide remote access to the hacker via two ways.

• Connect to IRC host osama.hackarmy.tk using detination port 6666 or 6667
• Continuously opens a list of ports from port number 2000 onwards on the infected system.

Upon successfully doing so, the following actions can be done:

• download and execute remote file
• infected system acts as socks4 proxy
• terminate processes
• read IRC log file

Symptoms

Symptoms -

• Existence of the abovementioned files and registry keys
• Many ports are opened.
• Firewall reports "Generic Host Process for Win32 Services" requesting for access to an unexpected domain (remote port 6666 or 6667):
  • osama.hackarmy.tk

Method of Infection

Method of Infection -

• Acessing URLS which leads the trojan to be downloaded onto the system
• Receiving it from HTML emails with links to this trojan

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A