Content

BackDoor-CKB!6708ddaf

Type
Trojan
SubType
Remote Access
Discovery Date
05/19/2006
Length
Varies
Minimum DAT
4767 (05/22/2006)
Updated DAT
4767 (05/22/2006)
Minimum Engine
5.1.00
Description Added
05/19/2006
Description Modified
05/19/2006 11:47 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Installation

Upon the opening of the malicious Microsoft Word document, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location:

  • %Temp%\20060426.bak (BackDoor-CKB!6708ddaf)

(Where %Temp% is the Temporary directory, for example C:\Documents and Settings\User\Local Settings\Temp)

The trojan installs two DLLs to the WINDOWS SYSTEM directory:

  • %Sysdir%\zsyhide.dll (11264 bytes)
  • %Sysdir%\zsydll.dll (29696 bytes)

The first DLL file is loaded via the Winlogon Notify method:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll
    dllname="%SYSTEMDIR%\zsydll.dll"

The second DLL file is loaded via the AppInitDlls method:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = %Sysdir%\zsyhide.dll

The DLL is injected into running processes.

Remote Access Functionality

Once running on the victim machine, the server component establishes HTTP communications to a remote server hosted on the following domain(s):

  • scfzf.xicp.net

This trojan enables an attacked with the capability to execute external commands.

Symptoms

Presence of the aforementioned files and registry keys.

Method of Infection

This specific variant is installed via exploiting a new Microsoft Word vulnerability that is currently under investigation.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

This trojan is known to have been used in a targeted attack involving a new Microsoft Word vulnerability that is currently under investigation. Backdoor trojans provide an attacker with a means to instruct an infected computer to take certain actions.

Characteristics

Characteristics -

Installation

Upon the opening of the malicious Microsoft Word document, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location:

  • %Temp%\20060426.bak (BackDoor-CKB!6708ddaf)

(Where %Temp% is the Temporary directory, for example C:\Documents and Settings\User\Local Settings\Temp)

The trojan installs two DLLs to the WINDOWS SYSTEM directory:

  • %Sysdir%\zsyhide.dll (11264 bytes)
  • %Sysdir%\zsydll.dll (29696 bytes)

The first DLL file is loaded via the Winlogon Notify method:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll
    dllname="%SYSTEMDIR%\zsydll.dll"

The second DLL file is loaded via the AppInitDlls method:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = %Sysdir%\zsyhide.dll

The DLL is injected into running processes.

Remote Access Functionality

Once running on the victim machine, the server component establishes HTTP communications to a remote server hosted on the following domain(s):

  • scfzf.xicp.net

This trojan enables an attacked with the capability to execute external commands.

Symptoms

Symptoms -

Presence of the aforementioned files and registry keys.

Method of Infection

Method of Infection -

This specific variant is installed via exploiting a new Microsoft Word vulnerability that is currently under investigation.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A