Content

BackDoor-CXD

Type
Trojan
SubType
Remote Access
Discovery Date
01/16/2006
Length
761,856 Bytes
Minimum DAT
4675 (01/16/2006)
Updated DAT
4777 (06/05/2006)
Minimum Engine
5.1.00
Description Added
01/16/2006
Description Modified
02/01/2006 1:15 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a remote access trojan detected as BackDoor.CXD.

Installation

Upon execution, the trojan installs itself into the %WinDir% directory as Hacker.com.cn.exe .

(Where %Windir% is the Windows directory, for example C:\WINDOWS)

For example:

c:\windows\Hacker.com.cn.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn
"DisplayName" = "GrayPigeon_Hacker.com.cn"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn "ErrorControl" = 00, 00, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn
"ImagePath" = %WinDir%\Hacker.com.cn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn
"ObjectName" = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn "Start"
= "02, 00, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn "Type"
 = "10, 01, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "0"
 = "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "Count"
 = "01, 00, 00, 00"

Remote Access Functionality

The client component offers many functions to the hacker, including: 

  • Sending popup messages
  • Executing any DOS command
  • Playing, stopping, opening closing the CD
  • Force the user to log off
  • Disabling double-click on the victim machine
  • Opening specific websites with the browser
  • Upload/download/execute files on the victim machine

Symptoms

  • Existence of the files/Registry keys detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a remote access trojan detected as BackDoor.CXD.

Installation

Upon execution, the trojan installs itself into the %WinDir% directory as Hacker.com.cn.exe .

(Where %Windir% is the Windows directory, for example C:\WINDOWS)

For example:

c:\windows\Hacker.com.cn.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn
"DisplayName" = "GrayPigeon_Hacker.com.cn"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn "ErrorControl" = 00, 00, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn
"ImagePath" = %WinDir%\Hacker.com.cn.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn
"ObjectName" = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn "Start"
= "02, 00, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn "Type"
 = "10, 01, 00, 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "0"
 = "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "Count"
 = "01, 00, 00, 00"

Remote Access Functionality

The client component offers many functions to the hacker, including: 

  • Sending popup messages
  • Executing any DOS command
  • Playing, stopping, opening closing the CD
  • Force the user to log off
  • Disabling double-click on the victim machine
  • Opening specific websites with the browser
  • Upload/download/execute files on the victim machine

Symptoms

Symptoms -

  • Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A