Content
BackDoor-COC
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 04/04/2005
- Length
- Minimum DAT
- 4432 (02/23/2005)
- Updated DAT
- 5835 (12/17/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 02/23/2005
- Description Modified
- 07/07/2006 5:16 PM (PT)
Tab Navigation
Characteristics
When executed this Backdoor installs the following files in the system:
- c:\program files\outlook express\danz7.exe ( 144678 bytes )
- c:\program files\outlook express\666.exe ( 144667 bytes )
- c:\documents and settings\%USER%\local settings\temp\backdoor.log
- c:\documents and settings\%USER%\local settings\temp\dc.exe
The filenames can vary.
This trojan also loads itself at system startup.
Registry keys are created and can be noted as:
- hkey_current_user\software\microsoft\windows\currentversion\run
\bd=""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dc.exe"" - hkey_current_user\software\microsoft\windows\currentversion\run
\bd=""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k2.exe""
Symptoms
Presence of the files and registry keys mentioned .
The applications creates the following network connection(s):
- k2.exe server:network server address port:9123
- dc.exe server:network server address port:9123
Filenames can vary.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This backdoor trojan attempts to query a remote DNS server with :
- danziger2007.[removed].com.au
- kontakt2.[removed].nu
Aliases
- Dropper.Agent.XX (GRISoft)
- Troj/Rasdoor-C (Sophos)
- Trojan-Dropper.Win32.Agent.aay (Kaspersky)
Characteristics
Characteristics -
When executed this Backdoor installs the following files in the system:
- c:\program files\outlook express\danz7.exe ( 144678 bytes )
- c:\program files\outlook express\666.exe ( 144667 bytes )
- c:\documents and settings\%USER%\local settings\temp\backdoor.log
- c:\documents and settings\%USER%\local settings\temp\dc.exe
The filenames can vary.
This trojan also loads itself at system startup.
Registry keys are created and can be noted as:
- hkey_current_user\software\microsoft\windows\currentversion\run
\bd=""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dc.exe"" - hkey_current_user\software\microsoft\windows\currentversion\run
\bd=""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k2.exe""
Symptoms
Symptoms -
Presence of the files and registry keys mentioned .
The applications creates the following network connection(s):
- k2.exe server:network server address port:9123
- dc.exe server:network server address port:9123
Filenames can vary.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A