Content
BackDoor-BAC.gen
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 03/22/2005
- Length
- varies
- Minimum DAT
- 4347 (04/04/2004)
- Updated DAT
- 6546 (11/30/2011)
- Minimum Engine
- 5.2.00
- Description Added
- 04/27/2004
- Description Modified
- 10/13/2008 4:55 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update October 13, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
--
BackDoor-BAC.gen is a trojan intended to silently download and execute malicious content from a remote server. It is also capable of stealing sensitive information from the infected machine.
When the executable is run on the victim machine, the trojan copies itself to the following locations.
- %WINDIR%\system32\gzipmod.dll (22,134 bytes) --> Generic PWS.y
- %WINDIR%\system32\vbagz.sys (8,720 bytes) --> BackDoor-BAC.gen
- %WINDIR%\system32\k86.bin (varies) --> Harvested keystrokes
The following entries are created in the registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
"DllName" = "gzipmod.dll"
"Startup" = "gzipmod"
"Impersonate" = "0x00000001"
"Asynchronous" = "0x00000001"
"MaxWait" = "0x00000001"
The trojan is capable of stealing sensitive information from the machine and logs it into k86.bin file. It also injects itself into Internet explorer and Explorer processes.
The trojan automatically connects to the following domain
hxxp://social-[blocked].biz/jerken2/data.php
and downloads additional files to the system.
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Symptoms
- Existence of the Registry key described above
- Outgoing HTTP traffic to the domain hxxp://social-[blocked].biz
Method of Infection
This trojan is widely spammed and exists purely to steal sensitive information, download and run other remote files.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update October 13, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
--
BackDoor-BAC.gen is a trojan intended to silently download and execute malicious content from a remote server. It is also capable of stealing sensitive information from the infected machine.
Aliases
- Backdoor:Win32/Haxdoor (Microsoft)
Characteristics
Characteristics -
-- Update October 13, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch
--
BackDoor-BAC.gen is a trojan intended to silently download and execute malicious content from a remote server. It is also capable of stealing sensitive information from the infected machine.
When the executable is run on the victim machine, the trojan copies itself to the following locations.
- %WINDIR%\system32\gzipmod.dll (22,134 bytes) --> Generic PWS.y
- %WINDIR%\system32\vbagz.sys (8,720 bytes) --> BackDoor-BAC.gen
- %WINDIR%\system32\k86.bin (varies) --> Harvested keystrokes
The following entries are created in the registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
"DllName" = "gzipmod.dll"
"Startup" = "gzipmod"
"Impersonate" = "0x00000001"
"Asynchronous" = "0x00000001"
"MaxWait" = "0x00000001"
The trojan is capable of stealing sensitive information from the machine and logs it into k86.bin file. It also injects itself into Internet explorer and Explorer processes.
The trojan automatically connects to the following domain
hxxp://social-[blocked].biz/jerken2/data.php
and downloads additional files to the system.
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Symptoms
Symptoms -
- Existence of the Registry key described above
- Outgoing HTTP traffic to the domain hxxp://social-[blocked].biz
Method of Infection
Method of Infection -
This trojan is widely spammed and exists purely to steal sensitive information, download and run other remote files.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants -
N/A