McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Detection was added to cover for a malicious PHP script file originally called "newcmd.php " , having a filesize of 26564 bytes. 

Upon execution of the script file, it searches for writable files/folders to write a .c file into. 

It tries to write it into /tmp/dc-connectback.c . The sourcode of the dc-connectback.c file is embedded inside in the php file. This is the sourcecode of the "Data Cha0s Connect Back Backdoor". It actually may reveal its presence by showing a message on the screen using the printf command. By default it is making use of port 80 so not that unique to pinpoint.

It also tries to write other files called hatorihanzo.c , and/or /tmp/xpl_brk.c , this is a Linux kernel do_brk vma overflow exploit, checking if the kernel is exploitable or not using the linux local kernel exploit. 

There're also routines to send fake e-mails and perform portscans.

During testing the newcmd.php script didn't run successfully.

Symptoms

• Presence of the files/filesizes as mentioned above

Method of Infection

• Manual execution of the newcmd.php file.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Detection was added to cover for a malicious PHP script file originally called "newcmd.php " , having a filesize of 26564 bytes. 

Upon execution of the script file, it searches for writable files/folders to write a .c file into. 

It tries to write it into /tmp/dc-connectback.c . The sourcode of the dc-connectback.c file is embedded inside in the php file. This is the sourcecode of the "Data Cha0s Connect Back Backdoor". It actually may reveal its presence by showing a message on the screen using the printf command. By default it is making use of port 80 so not that unique to pinpoint.

It also tries to write other files called hatorihanzo.c , and/or /tmp/xpl_brk.c , this is a Linux kernel do_brk vma overflow exploit, checking if the kernel is exploitable or not using the linux local kernel exploit. 

There're also routines to send fake e-mails and perform portscans.

During testing the newcmd.php script didn't run successfully.

Symptoms

Symptoms -

• Presence of the files/filesizes as mentioned above

Method of Infection

Method of Infection -

• Manual execution of the newcmd.php file.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A