Content

BackDoor-CWA

Type
Trojan
SubType
Remote Access
Discovery Date
12/05/2005
Length
Varies
Minimum DAT
4643 (12/05/2005)
Updated DAT
5313 (06/09/2008)
Minimum Engine
5.1.00
Description Added
12/05/2005
Description Modified
10/27/2006 7:14 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The Trojan establishes itself as a system service in order to ensure it runs whenever the system is active.  Versions have been seen that use Apple's iPod Hardware Management Services name ("iPodSrv") or the name of Microsoft's Internet Authentication Service ("IAS").

Files Added

Either one or two DLLs are used.  In the case of the "IAS" named version:

  • %WinDir%\System32\iasrv.dll (19 KB)

The "iPodSrv" version makes use of two separate files:

  • %WinDir%\System32\ntmorlib.dll (12 KB)
  • %WinDir%\System32\ipodsrv.dll (7 KB)
Registry

The following registry keys are created in the case of the IAS named package:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS
    "Description"="(hex data)"
    "ObjectName"="LocalSystem"
    "DisplayName"="Internet Authentication Service"
    "ImagePath"="C:\WINDOWS\System32\svchost.exe -k netsvcs"
    "ErrorControl"="1"
    "Start"="2"
    "Type"="32"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Enum
    "NextInstance"="1"
    "Count"="1"
    "0"="Root\LEGACY_IAS\0000"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Security
    "Security"="(hex data)"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters
    "ServiceDll"="C:\Windows\System32\iasrv.dll"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS\0000
    "DeviceDesc"="Internet Authentication Service"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "Class"="LegacyDriver"
    "ConfigFlags"="0"
    "Legacy"="1"
    "Service"="IAS"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS\0000\Control
    "ActiveService"="IAS"
    "*NewlyCreated*"="0"

For the "iPodSrv" version the following keys were seen:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv
    "ObjectName"="LocalSystem"
    "DisplayName"="iPod System Driver Provider"
    "ImagePath"="C:\WINDOWS\System32\svchost.exe -k iPod"
    "ErrorControl"="1"
    "Start"="2"
    "Type"="32"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Enum
    "NextInstance"="1"
    "Count"="1"
    "0"="Root\LEGACY_IPODSRV\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Parameters
    "Interactive"="0"
    "ServiceDll"="C:\WINDOWS\system32\iPodSrv.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV\0000
    "DeviceDesc"="iPod System Driver Provider"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "Class"="LegacyDriver"
    "ConfigFlags"="0"
    "Legacy"="1"
    "Service"="iPodSrv"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV
    \0000\Control
    "ActiveService"="iPodSrv"
    "*NewlyCreated*"="0"

Symptoms

The presence of any of the files or possibly the registry keys previously listed. Note that some many of the service registry keys will be present on systems with the Internet Authentication Service or iTunes software legitimately installed. Therefore their presence does not guarantee that a system has been infected.

The Trojan attempts to make regular but brief TCP communications (approximately every 30-40 seconds) with www.usaaservice.com while running, though no appreciable data appeared to be transferred.  The outgoing port number used was incremented for each such communication (beginning around TCP 1050).  Communications were also observed (in the case of the "iPodSrv" version) to locations within the 3322.org domain.  Additional analysis suggests the software may be able to accept a range of commands to perform operations on or provide remote terminal access to the host system.

Method of Infection

The Trojan infects the system when launched by the user, or may utilize a dropper (see BackDoor-CWA.dr)  Though not confirmed by McAfee, there have been reports of the Trojan arriving as an attachment via email.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

The Trojan establishes itself as a system service in order to ensure it runs whenever the system is active.  Versions have been seen that use Apple's iPod Hardware Management Services name ("iPodSrv") or the name of Microsoft's Internet Authentication Service ("IAS").

Files Added

Either one or two DLLs are used.  In the case of the "IAS" named version:

  • %WinDir%\System32\iasrv.dll (19 KB)

The "iPodSrv" version makes use of two separate files:

  • %WinDir%\System32\ntmorlib.dll (12 KB)
  • %WinDir%\System32\ipodsrv.dll (7 KB)
Registry

The following registry keys are created in the case of the IAS named package:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS
    "Description"="(hex data)"
    "ObjectName"="LocalSystem"
    "DisplayName"="Internet Authentication Service"
    "ImagePath"="C:\WINDOWS\System32\svchost.exe -k netsvcs"
    "ErrorControl"="1"
    "Start"="2"
    "Type"="32"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Enum
    "NextInstance"="1"
    "Count"="1"
    "0"="Root\LEGACY_IAS\0000"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Security
    "Security"="(hex data)"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters
    "ServiceDll"="C:\Windows\System32\iasrv.dll"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS\0000
    "DeviceDesc"="Internet Authentication Service"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "Class"="LegacyDriver"
    "ConfigFlags"="0"
    "Legacy"="1"
    "Service"="IAS"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS\0000\Control
    "ActiveService"="IAS"
    "*NewlyCreated*"="0"

For the "iPodSrv" version the following keys were seen:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv
    "ObjectName"="LocalSystem"
    "DisplayName"="iPod System Driver Provider"
    "ImagePath"="C:\WINDOWS\System32\svchost.exe -k iPod"
    "ErrorControl"="1"
    "Start"="2"
    "Type"="32"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Enum
    "NextInstance"="1"
    "Count"="1"
    "0"="Root\LEGACY_IPODSRV\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Parameters
    "Interactive"="0"
    "ServiceDll"="C:\WINDOWS\system32\iPodSrv.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPodSrv\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV\0000
    "DeviceDesc"="iPod System Driver Provider"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "Class"="LegacyDriver"
    "ConfigFlags"="0"
    "Legacy"="1"
    "Service"="iPodSrv"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPODSRV
    \0000\Control
    "ActiveService"="iPodSrv"
    "*NewlyCreated*"="0"

Symptoms

Symptoms -

The presence of any of the files or possibly the registry keys previously listed. Note that some many of the service registry keys will be present on systems with the Internet Authentication Service or iTunes software legitimately installed. Therefore their presence does not guarantee that a system has been infected.

The Trojan attempts to make regular but brief TCP communications (approximately every 30-40 seconds) with www.usaaservice.com while running, though no appreciable data appeared to be transferred.  The outgoing port number used was incremented for each such communication (beginning around TCP 1050).  Communications were also observed (in the case of the "iPodSrv" version) to locations within the 3322.org domain.  Additional analysis suggests the software may be able to accept a range of commands to perform operations on or provide remote terminal access to the host system.

Method of Infection

Method of Infection -

The Trojan infects the system when launched by the user, or may utilize a dropper (see BackDoor-CWA.dr)  Though not confirmed by McAfee, there have been reports of the Trojan arriving as an attachment via email.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A