McAfee > Theat Center > Virus Detail Page

Overview

This description is for many nondescript backdoor trojans protected with "Exe Stealth Protector" [A commercially avialable PE File protector] that have been received by McAfee Avert. The characteristics of such backdoor trojans in terms of files created, information logged etc. can differ from one another.

Hence, this is a general description.

Characteristics

Backdoor trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component:

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via:

• HTTP request to a public script library in order to send an email
• Via other instant messengers like Yahoo, MSN, ICQ etc
• Via IRC

Configuration Component:

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

• Registry key name
• Installed filename
• Hooking method (INI file or Registry)
• Notification (method, and destination/target)

Client Component:

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionality available to the hacker varies, but will generally include:

• Browse remote filesystem
• Upload/download files
• Delete/execute files
• Modify system settings (resolution, background)
• Browse/kill running processes
• Browse/edit Windows Registry
• Start/stop additional components (keylogger, webcam capture etc.)
• Display message-box
• Open/close CD-tray

Symptoms

• Presence of any startup entries for the backdoor, if any, in the registry
• Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet
  

Method of Infection

Backdoor trojans do not self-replicate. They spread manually, often under the premise that they are beneficial or wanted. They can either be stand alone applications, or come bundled along with other Trojans/Rootkits.

Installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for many nondescript backdoor trojans protected with "Exe Stealth Protector" [A commercially avialable PE File protector] that have been received by McAfee Avert. The characteristics of such backdoor trojans in terms of files created, information logged etc. can differ from one another.

Hence, this is a general description.

Characteristics

Characteristics -

Backdoor trojans are typically multi-component in nature, consisting of Server, Configuration and Client parts. These components are described below:

Server Component:

This is the component that is intended to be executed on the victim's machine. It may be received via email, file-sharing network, IRC channel etc etc, or it could be installed by a dropper file. Once run, the server component typically hooks system startup via adding a Registry key, or an entry in the WIN.INI or SYSTEM.INI files.

The server component will open a port on the victim machine. Personal firewalls will often trigger at this point, or when data is received via that port.

Upon successful installation, the server component will frequently issue a notification to the hacker. This notification is generally achieved via:

• HTTP request to a public script library in order to send an email
• Via other instant messengers like Yahoo, MSN, ICQ etc
• Via IRC

Configuration Component:

This component is used by the hacker to configure server components. Various parameters are typically configurable, for example:

• Registry key name
• Installed filename
• Hooking method (INI file or Registry)
• Notification (method, and destination/target)

Client Component:

The final component of a typical backdoor package is the client which is used by the hacker to make a connection to remote victim machines which have the server running on them. Once connected, exact functionality available to the hacker varies, but will generally include:

• Browse remote filesystem
• Upload/download files
• Delete/execute files
• Modify system settings (resolution, background)
• Browse/kill running processes
• Browse/edit Windows Registry
• Start/stop additional components (keylogger, webcam capture etc.)
• Display message-box
• Open/close CD-tray

Symptoms

Symptoms -

• Presence of any startup entries for the backdoor, if any, in the registry
• Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet
  

Method of Infection

Method of Infection -

Backdoor trojans do not self-replicate. They spread manually, often under the premise that they are beneficial or wanted. They can either be stand alone applications, or come bundled along with other Trojans/Rootkits.

Installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.
Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A