Content

BackDoor-CEB.c

Type
Trojan
SubType
Remote Access
Discovery Date
09/09/2004
Length
234,496 bytes
Minimum DAT
4391 (09/15/2004)
Updated DAT
4391 (09/15/2004)
Minimum Engine
5.1.00
Description Added
09/09/2004
Description Modified
09/09/2004 4:35 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This remote access trojan is downloaded by W32/Mydoom.u@MM . It bears the following characteristics:

  • stealths its activity on the victim machine
  • serves as a HTTP proxy
  • serves as an SMTP relay
  • attempts to connect to numerous remote IRC servers (for remote reporting/command)
  • appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

  • 62.241.53.15:4242
  • 62.241.53.16:4242
  • 62.241.53.17:4242
  • 62.241.53.2:4242
  • 62.241.53.4:4242
  • 64.246.16.11:4661
  • 64.246.18.98:4661
  • 64.246.54.12:3306
  • 65.75.161.70:4661
  • 66.111.43.80:4242
  • 66.90.68.2:6565
  • 66.98.144.100:4242
  • 66.98.192.99:3306
  • 67.15.18.45:3306
  • 67.15.18.57:3306
  • 69.57.132.8:4661
  • 69.50.187.210:4661
  • 69.50.228.50:4646
  • 80.64.179.46:4242
  • 81.23.250.167:4242
  • 81.23.250.169:4242
  • 193.19.227.24:4661
  • 205.209.176.220:4661
  • 207.44.142.33:4242
  • 207.44.206.27:4661
  • 207.44.222.47:4661
  • 211.214.161.107:4661
  • 211.233.41.235:4661
  • 212.199.125.36:8080
  • 213.158.119.104:4661
  • 216.127.94.107:4661
  • 218.78.211.62:4661

Ports 4661, 4242, 8080, 4242 and 3306 are used for this connection.

Symptoms

When executed, this trojan copies itself to the startup and Windows system folders on the victim machine, as DX32CXLP.EXE. For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32CXLP.EXE
  • C:\WINNT\SYSTEM32\DX32CXLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

  • %SYSTEMROOT%\SYSTEM32\DX32CXEL.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\dx32cxel

The service bears the following characteristics:

Display name: dx32cxel
Image Path: %SYSTEMROOT%\SYSTEM32\dx32cxel.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports are opened by the trojan - the exact port numbers used vary. For example, TCP 39284 and 39287 were opened in testing.

Method of Infection

This remote access trojan is downloaded by W32/Mydoom.u@MM .

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This remote access trojan is downloaded by W32/Mydoom.u@MM . It bears the following characteristics:

  • stealths its activity on the victim machine
  • serves as a HTTP proxy
  • serves as an SMTP relay
  • attempts to connect to numerous remote IRC servers (for remote reporting/command)
  • appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

  • 62.241.53.15:4242
  • 62.241.53.16:4242
  • 62.241.53.17:4242
  • 62.241.53.2:4242
  • 62.241.53.4:4242
  • 64.246.16.11:4661
  • 64.246.18.98:4661
  • 64.246.54.12:3306
  • 65.75.161.70:4661
  • 66.111.43.80:4242
  • 66.90.68.2:6565
  • 66.98.144.100:4242
  • 66.98.192.99:3306
  • 67.15.18.45:3306
  • 67.15.18.57:3306
  • 69.57.132.8:4661
  • 69.50.187.210:4661
  • 69.50.228.50:4646
  • 80.64.179.46:4242
  • 81.23.250.167:4242
  • 81.23.250.169:4242
  • 193.19.227.24:4661
  • 205.209.176.220:4661
  • 207.44.142.33:4242
  • 207.44.206.27:4661
  • 207.44.222.47:4661
  • 211.214.161.107:4661
  • 211.233.41.235:4661
  • 212.199.125.36:8080
  • 213.158.119.104:4661
  • 216.127.94.107:4661
  • 218.78.211.62:4661

Ports 4661, 4242, 8080, 4242 and 3306 are used for this connection.

Symptoms

Symptoms -

When executed, this trojan copies itself to the startup and Windows system folders on the victim machine, as DX32CXLP.EXE. For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32CXLP.EXE
  • C:\WINNT\SYSTEM32\DX32CXLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

  • %SYSTEMROOT%\SYSTEM32\DX32CXEL.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\dx32cxel

The service bears the following characteristics:

Display name: dx32cxel
Image Path: %SYSTEMROOT%\SYSTEM32\dx32cxel.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports are opened by the trojan - the exact port numbers used vary. For example, TCP 39284 and 39287 were opened in testing.

Method of Infection

Method of Infection -

This remote access trojan is downloaded by W32/Mydoom.u@MM .

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A