Content

BackDoor-CXI

Type
Trojan
SubType
Remote Access
Discovery Date
01/26/2006
Length
Varies
Minimum DAT
4684 (01/27/2006)
Updated DAT
6540 (11/24/2011)
Minimum Engine
5.1.00
Description Added
01/26/2006
Description Modified
01/26/2006 7:13 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a remote access trojan.It is recently known to be installed silently by an application installer of Chinese origin. This installer claims to install a memory compression application but it is also possible that other variants could install other applications. It is advised that applications be downloaded and installed only from reliable sources.

Upon execution, this trojan runs in the memory space of Explorer.exe, a Windows system process.

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as rejoice.dll and rejoice.exe.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM32)

For example:

C:\Windows\System32\rejoice.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %Sysdir%\rejoice.exe"

Remote Access Functionality

Once running on the victim machine, the server component connects to a remote server on TCP Port 8080. This trojan enables the malicious user the capability to:

  • Capture desktop image
  • Enumerate and suspend/kill running process(es)
  • Enumerate and modify registry keys
  • Obtain a file listing of the victim hard disk(s)
  • Execute any system command 
  • Enable file sharing on the victim machine
  • Upload/download/execute files on the victim machine

The remote server may not be hosted on a static location. The trojan downloads the updated server IP information from the website:

  • www.jm-my.com

Symptoms

Non-compliant application traffic over the following port(s), evading simple desktop and perimeter firewall settings:

 Type  Port Number  Standard Port for
 TCP  8080  HTTP Proxy

HTTP connection to the following website on TCP Port 80:

  • www.jm-my.com

Unexpected outgoing traffic over the above mentioned ports - permission request on your desktop firewall from the following process:

  • Windows Explorer (explorer.exe )

Existence of the files/Registry keys detailed above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a remote access trojan.It is recently known to be installed silently by an application installer of Chinese origin. This installer claims to install a memory compression application but it is also possible that other variants could install other applications. It is advised that applications be downloaded and installed only from reliable sources.

Upon execution, this trojan runs in the memory space of Explorer.exe, a Windows system process.

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as rejoice.dll and rejoice.exe.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM32)

For example:

C:\Windows\System32\rejoice.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %Sysdir%\rejoice.exe"

Remote Access Functionality

Once running on the victim machine, the server component connects to a remote server on TCP Port 8080. This trojan enables the malicious user the capability to:

  • Capture desktop image
  • Enumerate and suspend/kill running process(es)
  • Enumerate and modify registry keys
  • Obtain a file listing of the victim hard disk(s)
  • Execute any system command 
  • Enable file sharing on the victim machine
  • Upload/download/execute files on the victim machine

The remote server may not be hosted on a static location. The trojan downloads the updated server IP information from the website:

  • www.jm-my.com

Symptoms

Symptoms -

Non-compliant application traffic over the following port(s), evading simple desktop and perimeter firewall settings:

 Type  Port Number  Standard Port for
 TCP  8080  HTTP Proxy

HTTP connection to the following website on TCP Port 80:

  • www.jm-my.com

Unexpected outgoing traffic over the above mentioned ports - permission request on your desktop firewall from the following process:

  • Windows Explorer (explorer.exe )

Existence of the files/Registry keys detailed above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A