Content

BackDoor-CXI

Type
Trojan
SubType
Remote Access
Discovery Date
01/26/2006
Length
Varies
Minimum DAT
4684 (01/27/2006)
Updated DAT
5807 (11/19/2009)
Minimum Engine
5.1.00
Description Added
01/26/2006
Description Modified
01/26/2006 7:13 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a remote access trojan.It is recently known to be installed silently by an application installer of Chinese origin. This installer claims to install a memory compression application but it is also possible that other variants could install other applications. It is advised that applications be downloaded and installed only from reliable sources.

Upon execution, this trojan runs in the memory space of Explorer.exe, a Windows system process.

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as rejoice.dll and rejoice.exe.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM32)

For example:

C:\Windows\System32\rejoice.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %Sysdir%\rejoice.exe"

Remote Access Functionality

Once running on the victim machine, the server component connects to a remote server on TCP Port 8080. This trojan enables the malicious user the capability to:

  • Capture desktop image
  • Enumerate and suspend/kill running process(es)
  • Enumerate and modify registry keys
  • Obtain a file listing of the victim hard disk(s)
  • Execute any system command 
  • Enable file sharing on the victim machine
  • Upload/download/execute files on the victim machine

The remote server may not be hosted on a static location. The trojan downloads the updated server IP information from the website:

  • www.jm-my.com

Symptoms

Non-compliant application traffic over the following port(s), evading simple desktop and perimeter firewall settings:

 Type  Port Number  Standard Port for
 TCP  8080  HTTP Proxy

HTTP connection to the following website on TCP Port 80:

  • www.jm-my.com

Unexpected outgoing traffic over the above mentioned ports - permission request on your desktop firewall from the following process:

  • Windows Explorer (explorer.exe )

Existence of the files/Registry keys detailed above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a remote access trojan.It is recently known to be installed silently by an application installer of Chinese origin. This installer claims to install a memory compression application but it is also possible that other variants could install other applications. It is advised that applications be downloaded and installed only from reliable sources.

Upon execution, this trojan runs in the memory space of Explorer.exe, a Windows system process.

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as rejoice.dll and rejoice.exe.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM32)

For example:

C:\Windows\System32\rejoice.exe

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %Sysdir%\rejoice.exe"

Remote Access Functionality

Once running on the victim machine, the server component connects to a remote server on TCP Port 8080. This trojan enables the malicious user the capability to:

  • Capture desktop image
  • Enumerate and suspend/kill running process(es)
  • Enumerate and modify registry keys
  • Obtain a file listing of the victim hard disk(s)
  • Execute any system command 
  • Enable file sharing on the victim machine
  • Upload/download/execute files on the victim machine

The remote server may not be hosted on a static location. The trojan downloads the updated server IP information from the website:

  • www.jm-my.com

Symptoms

Symptoms -

Non-compliant application traffic over the following port(s), evading simple desktop and perimeter firewall settings:

 Type  Port Number  Standard Port for
 TCP  8080  HTTP Proxy

HTTP connection to the following website on TCP Port 80:

  • www.jm-my.com

Unexpected outgoing traffic over the above mentioned ports - permission request on your desktop firewall from the following process:

  • Windows Explorer (explorer.exe )

Existence of the files/Registry keys detailed above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A