Content

BackDoor-CXL

Type
Trojan
SubType
Remote Access
Discovery Date
02/02/2006
Length
74.126 (exe) , 47.616 (dll)
Minimum DAT
4688 (02/02/2006)
Updated DAT
4754 (05/03/2006)
Minimum Engine
5.1.00
Description Added
02/02/2006
Description Modified
02/15/2006 4:57 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Detection was added for a malicious 32 bit PE file originally called "it.exe " ,having a filesize of 74.126 bytes decimal.

Upon running, it runs silently, no gui message-boxes or other interfaces appear. In the test environment this file didn't get copied/moved to another location.

It drops another .dll file called "dao360.dll " ,having a filesize of 47.616 bytes. The file is placed into the "Windows" directory.

The files are internally compressed using Aspack and also a Nullsoft installer package is abused.

Remote Access Functionality:

Once running on the victim machine, the server component opens a socket accepting commands sent from the client component. The client component offers many functions to the hacker, including: 

  • Sending popup messages
  • Executing any DOS command
  • Playing, stopping, opening closing the CD
  • Force the user to log off
  • Disabling double-click on the victim machine
  • Opening specific websites with the browser
  • Upload/download/execute files on the victim machine

It created registry entries under:

  • HKLM\software\classes\gads_root.aceess\clsid
    ="{FBBD2079-2F32-419C-AD85-089F0C1B8DD9}"
  • HKLM\software\classes\clsid\{fbbd2079-2f32-419c
    -ad85-089f0c1b8dd9}\progid="Gads_root.Aceess.1"
  • HKLM\software\classes\gads_root.aceess\curver
    ="Gads_root.Aceess.1"
  • HKLM\software\classes\gads_root.aceess="MS Access"


    • Symptoms

    • Existence of the files/Registry keys detailed above
    • Unexpected network traffic

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Aliases

    • Backdoor.Trojan (Symantec)
    • Backdoor.Win32.Agent.UE (Ikarus)
    • Backdoor.Win32.Agent.ue (Kaspersky)
    • Bck/Agent.BHB (Panda)
    • Trojan.DownLoader.6709 (DrWeb)

    Characteristics

    Characteristics -

    Detection was added for a malicious 32 bit PE file originally called "it.exe " ,having a filesize of 74.126 bytes decimal.

    Upon running, it runs silently, no gui message-boxes or other interfaces appear. In the test environment this file didn't get copied/moved to another location.

    It drops another .dll file called "dao360.dll " ,having a filesize of 47.616 bytes. The file is placed into the "Windows" directory.

    The files are internally compressed using Aspack and also a Nullsoft installer package is abused.

    Remote Access Functionality:

    Once running on the victim machine, the server component opens a socket accepting commands sent from the client component. The client component offers many functions to the hacker, including: 

    • Sending popup messages
    • Executing any DOS command
    • Playing, stopping, opening closing the CD
    • Force the user to log off
    • Disabling double-click on the victim machine
    • Opening specific websites with the browser
    • Upload/download/execute files on the victim machine

    It created registry entries under:

  • HKLM\software\classes\gads_root.aceess\clsid
    ="{FBBD2079-2F32-419C-AD85-089F0C1B8DD9}"
  • HKLM\software\classes\clsid\{fbbd2079-2f32-419c
    -ad85-089f0c1b8dd9}\progid="Gads_root.Aceess.1"
  • HKLM\software\classes\gads_root.aceess\curver
    ="Gads_root.Aceess.1"
  • HKLM\software\classes\gads_root.aceess="MS Access"


    • Symptoms

    Symptoms -

    • Existence of the files/Registry keys detailed above
    • Unexpected network traffic

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A