McAfee > Theat Center > Virus Detail Page

Overview

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

Characteristics

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

There are several variants of this trojan. This description is for a specific sample.

On execution, the trojan copies itself in %SystemDir%and drops a dll file in %SystemDir% as {random_name}.dIl. random_name means that the name of this dll file, whose extension is dIl, may be different on different instances of execution of this trojan.

It then registers the dll as a COM object by creating registry entries under

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)

It also drops and loads another dll from the following location :

• X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)

To activate itself on reboot, the trojan may add itself under the following registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random.  Some of the commands it can accept may allow the remote attacker to:

• Transfer files
• Load/Unload dll files
• Query/Modify system registry
• Launch DOS attack on a specified target
• Shutdown/Restart the compromised machine

Code suggests that the malware accepts the following list of commands:

• RUNDLL
• RESTART
• RESPAWN
• UNINSTALL
• MULTICAST
• RESOLVE
• STATS
• SETCOOKIE
• DELCOOKIES
• LISTCOOKIES
• EXPORT
• ADDTO
• DELFROM
• SETSTR
• PERFRM
• UNFREEZE
• RMOLD
• UNIFORG
• SETWND
• LSTWND
• SHUTDOWN
• DISKFLOOD
• DISKUNFLOOD

Symptoms

• Presence of files and registries as mentioned.
• Unexpected network traffic.
• More information on symptoms of Generic BackDoor is available here.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

Characteristics

Characteristics -

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

There are several variants of this trojan. This description is for a specific sample.

On execution, the trojan copies itself in %SystemDir%and drops a dll file in %SystemDir% as {random_name}.dIl. random_name means that the name of this dll file, whose extension is dIl, may be different on different instances of execution of this trojan.

It then registers the dll as a COM object by creating registry entries under

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)

It also drops and loads another dll from the following location :

• X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)

To activate itself on reboot, the trojan may add itself under the following registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random.  Some of the commands it can accept may allow the remote attacker to:

• Transfer files
• Load/Unload dll files
• Query/Modify system registry
• Launch DOS attack on a specified target
• Shutdown/Restart the compromised machine

Code suggests that the malware accepts the following list of commands:

• RUNDLL
• RESTART
• RESPAWN
• UNINSTALL
• MULTICAST
• RESOLVE
• STATS
• SETCOOKIE
• DELCOOKIES
• LISTCOOKIES
• EXPORT
• ADDTO
• DELFROM
• SETSTR
• PERFRM
• UNFREEZE
• RMOLD
• UNIFORG
• SETWND
• LSTWND
• SHUTDOWN
• DISKFLOOD
• DISKUNFLOOD

Symptoms

Symptoms -

• Presence of files and registries as mentioned.
• Unexpected network traffic.
• More information on symptoms of Generic BackDoor is available here.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A