McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Cakl.b : Kaspersky

• Trojan.Cakl-1 : ClamAV

• Win32/Cakl trojan : Nod32

• Win32/ProcHide.C : CA Vet

Characteristics

Backdoor-CZP is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• %System%\ldapi32.exe
• %System%\ntcvx32.dll
• %System%\ntswrl32.dll
• %System%\vssms32.exe

In an attempt to make the dropped files harder to find, the files may their attributes changed to hidden and system.

Note: %System% is a variable location and refers to the windows system directory.

The following Registry entry is modified, so the Trojan runs on startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion
  \Run "vssms32"
  Data: C:\WINDOWS\System32\vssms32.exe

Once running, the server component connects to a predefined IP address on TCP port 15963, awaiting commands from the attacker using the client component.

Information such as the following may also be sent to the attacker:

• IP Address of the victim
• Port number the server is listening on
• Victim’s name
• Computer Name
• Date & Time

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component can be used to create a server with the following extensions:

• Bat
• Scr

The editor component is also used for the following:

• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Change the IP address and the port number the Trojan has to connect to once running

Symptoms

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component
• The server component attempts to kill various processes (AV scanners, firewall products etc.)
  

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Cakl.b : Kaspersky

• Trojan.Cakl-1 : ClamAV

• Win32/Cakl trojan : Nod32

• Win32/ProcHide.C : CA Vet

Characteristics

Characteristics -

Backdoor-CZP is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Component:

When the server component is executed, the Trojan drops the following files:

• %System%\ldapi32.exe
• %System%\ntcvx32.dll
• %System%\ntswrl32.dll
• %System%\vssms32.exe

In an attempt to make the dropped files harder to find, the files may their attributes changed to hidden and system.

Note: %System% is a variable location and refers to the windows system directory.

The following Registry entry is modified, so the Trojan runs on startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion
  \Run "vssms32"
  Data: C:\WINDOWS\System32\vssms32.exe

Once running, the server component connects to a predefined IP address on TCP port 15963, awaiting commands from the attacker using the client component.

Information such as the following may also be sent to the attacker:

• IP Address of the victim
• Port number the server is listening on
• Victim’s name
• Computer Name
• Date & Time

Client Component:

The client component runs on the attacker’s computer, and connects to the server component on the victim’s machine remotely.

The following are a list of some of the functions that are available to the attacker:

• Process Manager (List, kill running processes)
• File Manager (List, upload, download, delete)
• Registry Manager (Browse Registry, add, edit, delete keys)
• Windows Manager (Browse, close, maximize/minimize, rename)
• Get system information
• Extract passwords from machine
• Key logger
• Read/Modify contents of the clipboard
• Screen capture
• Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
• Desktop logoff, reboot or shutdown
• FTP-server, Telnet-Server
• Format drives

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The editor component can be used to create a server with the following extensions:

• Bat
• Scr

The editor component is also used for the following:

• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Change the IP address and the port number the Trojan has to connect to once running

Symptoms

Symptoms -

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component
• The server component attempts to kill various processes (AV scanners, firewall products etc.)
  

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A