McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

--Update September 4, 2009--

Client component of this threat may have keylogging functionality and be copied to the following location:

• %WINDOWS%\System32\svchost.dll

(Where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

Malware attempts to connect to the following remote site via http or https:

• [removed].3322.org

--Update February 23, 2009--

Certain components have displayed the below characteristics after being analyzed.

The system dll ADVAPI32.dll is copied to the current users temp directory using a random filename and .tmp extension.

A search is then performed for copies within the following directories:

• %WINDOWS%\[RandomFileName].tmp
• %WINDOWS%\System32\[RandomFileName].tmp

(Where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

It will also search in its current directory.

It attempts to infect copies of advapi32.dll so that infection is persistent upon reboot when the system dll file is loaded at startup.

----------------------------

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

   1. HTTP request to a public script library in order to send an email
   2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

    * Registry key name
    * installed filename
    * hooking method (INI file or Registry)
    * notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

    * browse remote filesystem
    * upload/download files
    * delete/execute files
    * modify system settings (resolution, background)
    * browse/kill running processes
    * browse/edit Windows Registry
    * start/stop additional components (keylogger, webcam capture etc.)
    * display message-box
    * open/close CD-tray

Symptoms

• Presence of unexpected network connections.
• Presence of unexpected listening ports.
• Presence of unexpected files with a '.tmp' extension.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Trojan onto the user's system with no user interaction).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

--Update September 4, 2009--

Client component of this threat may have keylogging functionality and be copied to the following location:

• %WINDOWS%\System32\svchost.dll

(Where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

Malware attempts to connect to the following remote site via http or https:

• [removed].3322.org

--Update February 23, 2009--

Certain components have displayed the below characteristics after being analyzed.

The system dll ADVAPI32.dll is copied to the current users temp directory using a random filename and .tmp extension.

A search is then performed for copies within the following directories:

• %WINDOWS%\[RandomFileName].tmp
• %WINDOWS%\System32\[RandomFileName].tmp

(Where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

It will also search in its current directory.

It attempts to infect copies of advapi32.dll so that infection is persistent upon reboot when the system dll file is loaded at startup.

----------------------------

This detection covers many nondescript backdoor trojans - typically one-off creations that have been received by AVERT.

Such trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via one of two methods:

   1. HTTP request to a public script library in order to send an email
   2. via ICQ

Configuration Component

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

    * Registry key name
    * installed filename
    * hooking method (INI file or Registry)
    * notification (method, and destination/target)

Client Component

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionaliy available to the hacker varies, but will generally include:

    * browse remote filesystem
    * upload/download files
    * delete/execute files
    * modify system settings (resolution, background)
    * browse/kill running processes
    * browse/edit Windows Registry
    * start/stop additional components (keylogger, webcam capture etc.)
    * display message-box
    * open/close CD-tray

Symptoms

Symptoms -

• Presence of unexpected network connections.
• Presence of unexpected listening ports.
• Presence of unexpected files with a '.tmp' extension.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Trojan onto the user's system with no user interaction).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A