Content

Generic BackDoor.s

Type
Trojan
SubType
Win32
Discovery Date
02/16/2005
Length
Varies
Minimum DAT
4428 (02/16/2005)
Updated DAT
6587 (01/12/2012)
Minimum Engine
5.3.00
Description Added
02/16/2005
Description Modified
11/22/2011 7:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--------- 22-Nov-2011 -------

Aliases –
    • F-Secure - Gen:Variant.Zusy.14
    • Kaspersky - HEUR:Trojan.Win32.Generic
    • Microsoft - Trojan:Win32/Lukicsel.I
    • NOD32 - probably a variant of Win32/Lukicsel.T

"Generic BackDoor.s" is a dll which is dropped by the Trojan "Generic.dx!bb3d"

Upon execution, the Trojan injected into the svchost.exe and drops the following malicious files.

    • %WinDir%\system32\mdhcp32.dll [Detected as Generic BackDoor.us]
    • %WinDir%\system32\dll.dll [Detected as Generic.dx!bbn4]

The following registry values have been added to the system
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhcp32\
      DllName =  mdhcp32.dll
      Startup = "WinStart2EX"
      Logoff = "WinOff2EX"
      Shutdown = "WinOff2EX"
      Asynchronous = 0x00000001
      Impersonate = 0x00000000

The Trojan reads configuration details from an encrypted data file which is dropped by the Trojan Generic.dx!bb3d.

Then it writes data to the following file:
    • %WinDir%system32\crt.dat

Generic BackDoor.s acts as a Gnutella2 P2P client to connect to Gnutella2's network web cache. It attempts to connect to the following servers:

    • 88.159.[removed]
    • 68.52.[removed]
    • 87.89.[removed]
    • 174.91.[removed]

Note – [%WinDir% - C:\WINDOWS]

---------------

---------- Dec 1st 2010 ---------------

Aliases -

    • AVG - FakeAlert.AD
    • BitDefender - Application.Transmit.B
    • F-Secure - Application.Transmit.B
    • Kaspersky - not-a-virus:NetTool.Win32.Transmit.a

The program is designed to redirect network traffic. After execution, the Trojan causes the following message will be displayed in command prompt:

In order to activate the different modes, the program has to be launched with the following parameters:

    • listen – redirects traffic from one local port to another;
    • tran – redirect traffic from a local port to a port on a designated remote host;
    • slave – query the remote host and redirect return traffic to a different remote host

-----------

Backdoor trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component:

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via:

  • HTTP request to a public script library in order to send an email
  • Via other instant messengers like Yahoo, MSN, ICQ etc
  • Via IRC

Configuration Component:

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

  • Registry key name
  • Installed filename
  • Hooking method (INI file or Registry)
  • Notification (method, and destination/target)

Client Component:

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionality available to the hacker varies, but will generally include:

  • Browse remote filesystem
  • Upload/download files
  • Delete/execute files
  • Modify system settings (resolution, background)
  • Browse/kill running processes
  • Browse/edit Windows Registry
  • Start/stop additional components (keylogger, webcam capture etc.)
  • Display message-box
  • Open/close CD-tray

Symptoms

  • Presence of any startup entries for the backdoor, if any, in the registry
  • Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Method of Infection

Backdoor trojans do not self-replicate. They spread manually, often under the premise that they are beneficial or wanted. They can either be stand alone applications, or come bundled along with other Trojans/Rootkits.

Installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants

    N/A

All Information

Overview -

This description is for many nondescript backdoor trojans protected with "Exe Stealth Protector" [A commercially avialable PE File protector] that have been received by McAfee Avert. The characteristics of such backdoor trojans in terms of files created, information logged etc. can differ from one another.

Hence, this is a general description.

 

Characteristics

Characteristics -

--------- 22-Nov-2011 -------

Aliases –
    • F-Secure - Gen:Variant.Zusy.14
    • Kaspersky - HEUR:Trojan.Win32.Generic
    • Microsoft - Trojan:Win32/Lukicsel.I
    • NOD32 - probably a variant of Win32/Lukicsel.T

"Generic BackDoor.s" is a dll which is dropped by the Trojan "Generic.dx!bb3d"

Upon execution, the Trojan injected into the svchost.exe and drops the following malicious files.

    • %WinDir%\system32\mdhcp32.dll [Detected as Generic BackDoor.us]
    • %WinDir%\system32\dll.dll [Detected as Generic.dx!bbn4]

The following registry values have been added to the system
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhcp32\
      DllName =  mdhcp32.dll
      Startup = "WinStart2EX"
      Logoff = "WinOff2EX"
      Shutdown = "WinOff2EX"
      Asynchronous = 0x00000001
      Impersonate = 0x00000000

The Trojan reads configuration details from an encrypted data file which is dropped by the Trojan Generic.dx!bb3d.

Then it writes data to the following file:
    • %WinDir%system32\crt.dat

Generic BackDoor.s acts as a Gnutella2 P2P client to connect to Gnutella2's network web cache. It attempts to connect to the following servers:

    • 88.159.[removed]
    • 68.52.[removed]
    • 87.89.[removed]
    • 174.91.[removed]

Note – [%WinDir% - C:\WINDOWS]

---------------

---------- Dec 1st 2010 ---------------

Aliases -

    • AVG - FakeAlert.AD
    • BitDefender - Application.Transmit.B
    • F-Secure - Application.Transmit.B
    • Kaspersky - not-a-virus:NetTool.Win32.Transmit.a

The program is designed to redirect network traffic. After execution, the Trojan causes the following message will be displayed in command prompt:

In order to activate the different modes, the program has to be launched with the following parameters:

    • listen – redirects traffic from one local port to another;
    • tran – redirect traffic from a local port to a port on a designated remote host;
    • slave – query the remote host and redirect return traffic to a different remote host

-----------

Backdoor trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component:

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via:

  • HTTP request to a public script library in order to send an email
  • Via other instant messengers like Yahoo, MSN, ICQ etc
  • Via IRC

Configuration Component:

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

  • Registry key name
  • Installed filename
  • Hooking method (INI file or Registry)
  • Notification (method, and destination/target)

Client Component:

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionality available to the hacker varies, but will generally include:

  • Browse remote filesystem
  • Upload/download files
  • Delete/execute files
  • Modify system settings (resolution, background)
  • Browse/kill running processes
  • Browse/edit Windows Registry
  • Start/stop additional components (keylogger, webcam capture etc.)
  • Display message-box
  • Open/close CD-tray

Symptoms

Symptoms -

  • Presence of any startup entries for the backdoor, if any, in the registry
  • Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Method of Infection

Method of Infection -

Backdoor trojans do not self-replicate. They spread manually, often under the premise that they are beneficial or wanted. They can either be stand alone applications, or come bundled along with other Trojans/Rootkits.

Installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants -

    N/A