Content
BackDoor-DJC
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 08/09/2006
- Length
- Minimum DAT
- 4826 (08/10/2006)
- Updated DAT
- 4889 (11/06/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 08/10/2006
- Description Modified
- 09/01/2006 5:29 AM (PT)
Tab Navigation
Characteristics
- Creates the following "Run" registry key for auto restart on reboot.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft VM: [path to executable]
- Searches for *.pbk files that are commonly in
- %ALLUSER%\Application Data\Microsoft\Network\Connections\Pbk\
- %Sysdir%\Ras
If the file is found the trojan will constantly try to dial the numbers in the phone book to create an internet connection through modem. - Tries to enumerate and collect information about the following system properties.
- LOGONSERVER
- HOMEDRIVE
- HOMEPATH
- CLIENTNAME
- SESSIONNAME
- APPDATA
- HOMESHARE
- Constantly tries to download files from www.(removed)wo.net
- May connect to a proxy server based in Germany
- The backdoor has capability of sending mails, it uses an open source sendmail program from the following website for this purpose.
- www.(removed)quit.com
- It also has capability of taking screenshots, capture keystrokes, upload and download binary data.
- Masquerades as a Microsoft file and has following string in its description "Windows NT-Befehlsprozessor"
- Listens on random TCP ports.
Symptoms
Presence of aforementioned registry key and excessive network activity due to DNS queries.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This is a description for a backdoor trojan that attempts to dial through a modem to create an internet connection. It has capabilities to capture keystrokes and send e-mails.
Characteristics
Characteristics -
- Creates the following "Run" registry key for auto restart on reboot.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft VM: [path to executable]
- Searches for *.pbk files that are commonly in
- %ALLUSER%\Application Data\Microsoft\Network\Connections\Pbk\
- %Sysdir%\Ras
If the file is found the trojan will constantly try to dial the numbers in the phone book to create an internet connection through modem. - Tries to enumerate and collect information about the following system properties.
- LOGONSERVER
- HOMEDRIVE
- HOMEPATH
- CLIENTNAME
- SESSIONNAME
- APPDATA
- HOMESHARE
- Constantly tries to download files from www.(removed)wo.net
- May connect to a proxy server based in Germany
- The backdoor has capability of sending mails, it uses an open source sendmail program from the following website for this purpose.
- www.(removed)quit.com
- It also has capability of taking screenshots, capture keystrokes, upload and download binary data.
- Masquerades as a Microsoft file and has following string in its description "Windows NT-Befehlsprozessor"
- Listens on random TCP ports.
Symptoms
Symptoms -
Presence of aforementioned registry key and excessive network activity due to DNS queries.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
