Content

BackDoor-CHR

Type
Trojan
SubType
Remote Access
Discovery Date
08/15/2004
Length
139,776 bytes (EXE)
4,096 bytes (SYS)
Minimum DAT
4386 (08/15/2004)
Updated DAT
4387 (08/18/2004)
Minimum Engine
5.1.00
Description Added
08/16/2004
Description Modified
08/16/2004 5:56 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This remote access trojan is downloaded by W32/Mydoom.s@MM . It bears the following characteristics:

  • stealths its activity on the victim machine
  • serves as a HTTP proxy
  • serves as an SMTP relay
  • attempts to connect to numerous remote IRC servers (for remote reporting/command)
  • appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

  • 62.241.53.2:4242
  • 211.233.41.235:4661
  • 81.23.250.167:4242
  • 193.19.227.24:4661
  • 66.98.192.99:3306
  • 207.44.222.47:4661
  • 213.158.119.104:4661
  • 207.44.206.27:4661
  • 62.241.53.4:4242
  • 216.127.94.107:4661
  • 67.15.18.45:3306
  • 62.241.53.15:4242
  • 64.246.54.12:3306
  • 62.241.53.16:4242
  • 211.214.161.107:4661
  • 67.15.18.57:3306
  • 66.98.144.100:4242
  • 69.50.187.210:4661
  • 66.111.43.80:4242
  • 212.199.125.36:8080
  • 66.90.68.2:6565
  • 62.241.53.17:4242
  • 69.50.228.50:4646
  • 81.23.250.169:4242
  • 69.57.132.8:4661
  • 64.246.18.98:4661
  • 218.78.211.62:4661
  • 207.44.142.33:4242
  • 64.246.16.11:4661
  • 205.209.176.220:4661
  • 80.64.179.46:4242
  • 65.75.161.70:4661

Ports 4661, 4242, 8080, 4242 and 3306 are used for this connection.

Symptoms

When executed, this trojan copies itself to the startup folder on the victim machine, as DX32HHLP.EXE. For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32HHLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

  • %SYSTEMROOT%\SYSTEM32\DX32HHEC.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\dx32hhec

The service bears the following characteristics:

Display name: dx32hhec
Image Path:   %SYSTEMROOT%\SYSTEM32\dx32hhec.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports are opened by the trojan - the exact port numbers used vary. For example, TCP 33167 and 33170 were opened in testing.

Method of Infection

This remote access trojan is downloaded by W32/Mydoom.s@MM .

Removal

All Windows Users :
Use the specified engine and DAT files for detection. Due to the stealthing nature of this threat, conventional scanning methods will not detect it when it is running on the victim machine. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Alternatively, Stinger has been updated to handle this threat (will detect and clean an infected system).

Manual Removal Instructions

  • Restart Windows in Safe Mode
  • Delete the following registry keys: (Information on deleting registry keys )
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx32hhec
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      legacy_dx32hhec
  • Delete the following files (from %SYSTEMROOT%\SYSTEM32):
    • DX32HHLP.EXE
    • DX32HHEC.SYS
  • Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • BackDoor-CEB.b
  • BackDoor-CHR.sys

Characteristics

Characteristics -

This remote access trojan is downloaded by W32/Mydoom.s@MM . It bears the following characteristics:

  • stealths its activity on the victim machine
  • serves as a HTTP proxy
  • serves as an SMTP relay
  • attempts to connect to numerous remote IRC servers (for remote reporting/command)
  • appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

  • 62.241.53.2:4242
  • 211.233.41.235:4661
  • 81.23.250.167:4242
  • 193.19.227.24:4661
  • 66.98.192.99:3306
  • 207.44.222.47:4661
  • 213.158.119.104:4661
  • 207.44.206.27:4661
  • 62.241.53.4:4242
  • 216.127.94.107:4661
  • 67.15.18.45:3306
  • 62.241.53.15:4242
  • 64.246.54.12:3306
  • 62.241.53.16:4242
  • 211.214.161.107:4661
  • 67.15.18.57:3306
  • 66.98.144.100:4242
  • 69.50.187.210:4661
  • 66.111.43.80:4242
  • 212.199.125.36:8080
  • 66.90.68.2:6565
  • 62.241.53.17:4242
  • 69.50.228.50:4646
  • 81.23.250.169:4242
  • 69.57.132.8:4661
  • 64.246.18.98:4661
  • 218.78.211.62:4661
  • 207.44.142.33:4242
  • 64.246.16.11:4661
  • 205.209.176.220:4661
  • 80.64.179.46:4242
  • 65.75.161.70:4661

Ports 4661, 4242, 8080, 4242 and 3306 are used for this connection.

Symptoms

Symptoms -

When executed, this trojan copies itself to the startup folder on the victim machine, as DX32HHLP.EXE. For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32HHLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

  • %SYSTEMROOT%\SYSTEM32\DX32HHEC.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\dx32hhec

The service bears the following characteristics:

Display name: dx32hhec
Image Path:   %SYSTEMROOT%\SYSTEM32\dx32hhec.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports are opened by the trojan - the exact port numbers used vary. For example, TCP 33167 and 33170 were opened in testing.

Method of Infection

Method of Infection -

This remote access trojan is downloaded by W32/Mydoom.s@MM .

Removal -

Removal -

All Windows Users :
Use the specified engine and DAT files for detection. Due to the stealthing nature of this threat, conventional scanning methods will not detect it when it is running on the victim machine. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Alternatively, Stinger has been updated to handle this threat (will detect and clean an infected system).

Manual Removal Instructions

  • Restart Windows in Safe Mode
  • Delete the following registry keys: (Information on deleting registry keys )
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx32hhec
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      legacy_dx32hhec
  • Delete the following files (from %SYSTEMROOT%\SYSTEM32):
    • DX32HHLP.EXE
    • DX32HHEC.SYS
  • Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A