McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader.Small.33.S - AVG

• Troj/Exemas-A - Sophos

• Trojan-Downloader.Win32.Exemas.10 - Kaspersky

Characteristics

Backdoor-CSN is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it.

Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• C:\Winnt\system32\Trojan.exe
  Size: 2,349 bytes

The following Registry entries are modified, so the Trojan runs on startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\
  CurrentVersion\Run “ “
  Data: C:\Winnt\System32\Trojan.exe

Once running, the server component connects to a predefined IP address on a predefined TCP port, awaiting commands from the attacker using the client component.

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Remotely download files from URLs
• Remotely execute the downloaded files

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component is also used for the following:

• Change the Port Number/IP address to which the Trojan connects to
• Change the server executables’ name
• Change the name of the Registry startup entry

Miscellaneous information:

• Software based firewall, if any on the machine might not alert about the Trojan trying to connect to the Internet. This is because; the Trojan uses the Internet Explorer to connect to the Internet
• The authors intended name for this Trojan in Bandook.

Symptoms

• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of
  someone having remote access via the client component

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader.Small.33.S - AVG

• Troj/Exemas-A - Sophos

• Trojan-Downloader.Win32.Exemas.10 - Kaspersky

Characteristics

Characteristics -

Backdoor-CSN is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it.

Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• C:\Winnt\system32\Trojan.exe
  Size: 2,349 bytes

The following Registry entries are modified, so the Trojan runs on startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\
  CurrentVersion\Run “ “
  Data: C:\Winnt\System32\Trojan.exe

Once running, the server component connects to a predefined IP address on a predefined TCP port, awaiting commands from the attacker using the client component.

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Remotely download files from URLs
• Remotely execute the downloaded files

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component is also used for the following:

• Change the Port Number/IP address to which the Trojan connects to
• Change the server executables’ name
• Change the name of the Registry startup entry

Miscellaneous information:

• Software based firewall, if any on the machine might not alert about the Trojan trying to connect to the Internet. This is because; the Trojan uses the Internet Explorer to connect to the Internet
• The authors intended name for this Trojan in Bandook.

Symptoms

Symptoms -

• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of
  someone having remote access via the client component

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A