Content

BackDoor-CZX

Type
Trojan
SubType
Remote Access
Discovery Date
05/24/2006
Length
34,119
Minimum DAT
4769 (05/24/2006)
Updated DAT
4769 (05/24/2006)
Minimum Engine
5.1.00
Description Added
05/24/2006
Description Modified
05/29/2006 2:27 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the trojan drops the following files.

%SYSTEMDIR%\abcedg.dll ( 19456 bytes )
%SYSTEMDIR%\stdole.tbl 

The following registry keys are created to install the dll as LSP (Layered Service Provider) to the TCP/IP protocol stack.

NOTE: The keys added under WinSock2\Parameters may vary in their numbering and/or values depending on the state of the LSP stack at the time of installation.

  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000001
    \packedcatalogitem="%SYSTEMDIR%\abcedg.dll"
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000002
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000003
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000004
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000005
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000006
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000007
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000008
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000009
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000010
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000011
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000012
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000013
    \packedcatalogitem="(binary registry data)

 

The trojan connects 218.57.[Removed] at port 1443 and sends the system information such as CPU, IP address and UserName.

Then it connects the remote host at port 1444 and provide a remote shell.

Symptoms

  • Presence of mentioned registry keys and files

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Upon execution, the trojan drops the following files.

%SYSTEMDIR%\abcedg.dll ( 19456 bytes )
%SYSTEMDIR%\stdole.tbl 

The following registry keys are created to install the dll as LSP (Layered Service Provider) to the TCP/IP protocol stack.

NOTE: The keys added under WinSock2\Parameters may vary in their numbering and/or values depending on the state of the LSP stack at the time of installation.

  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000001
    \packedcatalogitem="%SYSTEMDIR%\abcedg.dll"
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000002
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000003
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000004
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000005
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000006
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000007
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000008
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000009
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000010
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000011
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000012
    \packedcatalogitem="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\winsock2
    \parameters\protocol_catalog9\catalog_entries\000000000013
    \packedcatalogitem="(binary registry data)

 

The trojan connects 218.57.[Removed] at port 1443 and sends the system information such as CPU, IP address and UserName.

Then it connects the remote host at port 1444 and provide a remote shell.

Symptoms

Symptoms -

  • Presence of mentioned registry keys and files

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A