McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• SS.EXE

• Trj/Xebiz.A (Panda)

Characteristics

-- Update August 4th 2004 --
A recent spamming has been reported intended to install this remote access trojan on the victim machine. The infection mechanism is summarised below:

• the spammed email redirects the victim to a web page which contains a script dropper. This dropper is detected as VBS/Inor .
• the dropper drops a 2,560 byte file (C:\X.EXE) and executes it, passing the URL to another remote binary. X.EXE is a downloader trojan, detected as Proxy-Hino.dldr since 4300 DATs (Oct 29th 2003).
• the final remote binary (at time of writing) is SS.EXE (15,360 bytes). This is BackDoor-CGT , as described below.

--

-- Update July 13th 2004 --
The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:

BackDoor-CGT is referred to as SS trojan within the article. Detection is included in the Daily DATs, and will be included in the next scheduled weekly release. Please see the removal instructions for a link to the EXTRA.DAT packages.

--

This detection is for a backdoor trojan that is likely to be installed after viewing an email message that has recently been spammed out. A script within the email message results in a script dropper (detected as VBS/Inor ) being executed on the victim machine. This dropper writes and executes the following binary, which is the backdoor trojan:

• SS.EXE (15,360 bytes)

When run, the following files are installed on the victim machine:

• %SysDir%\dss.dll (3,072 bytes) - launcher for the trojan
• %SysDir%\dssa.dll (3,072 bytes) - restores trojan from backup
• %SysDir%\ss.dat (15,360 bytes) - backup of the trojan (slightly modified)
• %SysDir%\ss.exe (15,360 bytes) - copy of the trojan

The dropped DLLs are detected as BackDoor-CGT.dll with the specified DATs. The backup of the trojan is not a simply copy. Instead, some conversions have been performed (altering ascii case, reversing nulls and spaces etc). The backup is detected as BackDoor-CGT.bak .

The following Registry keys are added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  ShellServiceObjectDelayLoad "ss"
  = {0C5647C2-06B8-4BDD-842E-6929B0BC5833}
• HKEY_CLASSES_ROOT\CLSID\{0C5647C2-06B8-4BDD-842E-6929B0BC5833}\
  InProcServer32 "(Default)" = dssa.dll

When running, the backdoor trojan opens a random port on the victim machine. A notification is sent to the hacker (IP address, port number) via HTTP. Probably in an attempt to bypass software firewall, the trojan launches Internet Explorer (IEXPLORE.EXE ) to send this HTTP traffic.

To block the outgoing notification (and prevent the download of the trojan in fact), administrators should block HTTP access to the following domain:

• genmexe.biz

Symptoms

• Random port number unexpectedly open on the machine
• Existence of the files and Registry keys detailed above

Method of Infection

This trojan is likely to be received after receiving a spammed out email message, which results in running a script dropper on the victim machine. This dropper drops and executes the SS.EXE binary to the machine.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• SS.EXE

• Trj/Xebiz.A (Panda)

Characteristics

Characteristics -

-- Update August 4th 2004 --
A recent spamming has been reported intended to install this remote access trojan on the victim machine. The infection mechanism is summarised below:

• the spammed email redirects the victim to a web page which contains a script dropper. This dropper is detected as VBS/Inor .
• the dropper drops a 2,560 byte file (C:\X.EXE) and executes it, passing the URL to another remote binary. X.EXE is a downloader trojan, detected as Proxy-Hino.dldr since 4300 DATs (Oct 29th 2003).
• the final remote binary (at time of writing) is SS.EXE (15,360 bytes). This is BackDoor-CGT , as described below.

--

-- Update July 13th 2004 --
The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:

BackDoor-CGT is referred to as SS trojan within the article. Detection is included in the Daily DATs, and will be included in the next scheduled weekly release. Please see the removal instructions for a link to the EXTRA.DAT packages.

--

This detection is for a backdoor trojan that is likely to be installed after viewing an email message that has recently been spammed out. A script within the email message results in a script dropper (detected as VBS/Inor ) being executed on the victim machine. This dropper writes and executes the following binary, which is the backdoor trojan:

• SS.EXE (15,360 bytes)

When run, the following files are installed on the victim machine:

• %SysDir%\dss.dll (3,072 bytes) - launcher for the trojan
• %SysDir%\dssa.dll (3,072 bytes) - restores trojan from backup
• %SysDir%\ss.dat (15,360 bytes) - backup of the trojan (slightly modified)
• %SysDir%\ss.exe (15,360 bytes) - copy of the trojan

The dropped DLLs are detected as BackDoor-CGT.dll with the specified DATs. The backup of the trojan is not a simply copy. Instead, some conversions have been performed (altering ascii case, reversing nulls and spaces etc). The backup is detected as BackDoor-CGT.bak .

The following Registry keys are added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  ShellServiceObjectDelayLoad "ss"
  = {0C5647C2-06B8-4BDD-842E-6929B0BC5833}
• HKEY_CLASSES_ROOT\CLSID\{0C5647C2-06B8-4BDD-842E-6929B0BC5833}\
  InProcServer32 "(Default)" = dssa.dll

When running, the backdoor trojan opens a random port on the victim machine. A notification is sent to the hacker (IP address, port number) via HTTP. Probably in an attempt to bypass software firewall, the trojan launches Internet Explorer (IEXPLORE.EXE ) to send this HTTP traffic.

To block the outgoing notification (and prevent the download of the trojan in fact), administrators should block HTTP access to the following domain:

• genmexe.biz

Symptoms

Symptoms -

• Random port number unexpectedly open on the machine
• Existence of the files and Registry keys detailed above

Method of Infection

Method of Infection -

This trojan is likely to be received after receiving a spammed out email message, which results in running a script dropper on the victim machine. This dropper drops and executes the SS.EXE binary to the machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A