McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This remote access trojan is downloaded by W32/Mydoom.bb@MM  , W32/Mydoom.bc@MM  and W32/Mydoom.bd@MM . It bears the following characteristics:

• stealths its activity on the victim machine
• serves as a HTTP proxy
• serves as an SMTP relay
• attempts to connect to numerous remote IRC servers (for remote reporting/command)
• appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

• 61.152.93.254:4661
• 62.241.53.15:4242
• 62.241.53.16:4242
• 62.241.53.17:4242
• 62.241.53.2:4242
• 62.241.53.4:4242
• 65.75.163.180:4242
• 66.111.43.80:4242
• 66.192.117.34:4661
• 66.192.117.35:4661
• 66.192.117.36:4661
• 66.192.117.39:4661
• 66.192.117.40:4661
• 66.192.117.41:4661
• 66.192.117.43:4661
• 66.79.177.180:2487
• 66.98.144.100:4242
• 67.15.14.73:4242
• 67.15.18.45:3306
• 69.50.187.210:4661
• 69.50.228.50:4646
• 70.84.28.212:4242
• 81.23.250.167:4242
• 81.23.250.169:4242
• 193.19.227.24:4661
• 195.245.244.243:4661
• 199.218.8.201:4661
• 207.44.206.27:4661
• 207.44.222.47:4661
• 209.61.191.41:4661
• 211.214.161.107:4661
• 213.158.119.104:4661

Ports 4661, 4242, 2487, 4246 and 3306 are used for this connection.

Symptoms

When executed, this trojan copies itself to the Windows system directory on the victim machine, as DX32CXLP.EXE. For example:

• C:\WINDOWS\SYSTEM32\DX32CXLP.EXE

The trojan also drops a 6,144 byte kernel mode driver used for stealthing:

• %SysDir% \DX32CXEL.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

• HKEY_LOCAL_MACHINE\SYSTEM\
  CurrentControlSet\Services\dx32cxel

The service bears the following characteristics:

Display name: dx32cxel
Image Path: %SysDir% \dx32cxel.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Various ports are opened by the trojan - the exact port numbers used vary. For example, TCP 1045, 31927 and 31924 were opened in testing.

Method of Infection

This remote access trojan is downloaded by W32/Mydoom.bb@MM , W32/Mydoom.bc@MM  and W32/Mydoom.bd@MM .

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This remote access trojan is downloaded by W32/Mydoom.bb@MM  , W32/Mydoom.bc@MM  and W32/Mydoom.bd@MM . It bears the following characteristics:

• stealths its activity on the victim machine
• serves as a HTTP proxy
• serves as an SMTP relay
• attempts to connect to numerous remote IRC servers (for remote reporting/command)
• appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers:

• 61.152.93.254:4661
• 62.241.53.15:4242
• 62.241.53.16:4242
• 62.241.53.17:4242
• 62.241.53.2:4242
• 62.241.53.4:4242
• 65.75.163.180:4242
• 66.111.43.80:4242
• 66.192.117.34:4661
• 66.192.117.35:4661
• 66.192.117.36:4661
• 66.192.117.39:4661
• 66.192.117.40:4661
• 66.192.117.41:4661
• 66.192.117.43:4661
• 66.79.177.180:2487
• 66.98.144.100:4242
• 67.15.14.73:4242
• 67.15.18.45:3306
• 69.50.187.210:4661
• 69.50.228.50:4646
• 70.84.28.212:4242
• 81.23.250.167:4242
• 81.23.250.169:4242
• 193.19.227.24:4661
• 195.245.244.243:4661
• 199.218.8.201:4661
• 207.44.206.27:4661
• 207.44.222.47:4661
• 209.61.191.41:4661
• 211.214.161.107:4661
• 213.158.119.104:4661

Ports 4661, 4242, 2487, 4246 and 3306 are used for this connection.

Symptoms

Symptoms -

When executed, this trojan copies itself to the Windows system directory on the victim machine, as DX32CXLP.EXE. For example:

• C:\WINDOWS\SYSTEM32\DX32CXLP.EXE

The trojan also drops a 6,144 byte kernel mode driver used for stealthing:

• %SysDir% \DX32CXEL.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

• HKEY_LOCAL_MACHINE\SYSTEM\
  CurrentControlSet\Services\dx32cxel

The service bears the following characteristics:

Display name: dx32cxel
Image Path: %SysDir% \dx32cxel.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.

The trojan appends the local hosts file on the victim machine, redirecting requests for many AV vendor sites and update sites to local host. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Various ports are opened by the trojan - the exact port numbers used vary. For example, TCP 1045, 31927 and 31924 were opened in testing.

Method of Infection

Method of Infection -

This remote access trojan is downloaded by W32/Mydoom.bb@MM , W32/Mydoom.bc@MM  and W32/Mydoom.bd@MM .

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A