Content

BackDoor-DJF

Type
Trojan
SubType
Remote Access
Discovery Date
08/17/2006
Length
Minimum DAT
4832 (08/18/2006)
Updated DAT
4833 (08/21/2006)
Minimum Engine
5.1.00
Description Added
08/17/2006
Description Modified
08/17/2006 9:48 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

System Changes

Files Added

  • %SYSTEMDIR%\netlib32.dll
  • %SYSTEMDIR%\setups.bak
  • c:\documents and settings\all users\templates\wsws~6868.tmp
  • c:\documents and settings\%USER%\local settings\temp\b.bat

Registry

The following registry keys are created:

  • hkey_local_machine\system\currentcontrolset\services\capapi32
    errorcontrol="0"
    start="4"
    objectname="LocalSystem"
    deleteflag="1"
    displayname="CAPAPI32"
    imagepath="[path to binary]"
    type="16"

Symptoms

Connects to 218.82.250.189 and listens at port 8080, to receive commands from a remote user.

Method of Infection

It is observed to be dropped by Exploit-TaroDrop that exploits a vulnerability in Ichitaro Document Viewer.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Backdoor-DJF is dropped by Exploit-ToroDrop Trojan, which exploits a vulnerability in Ichitaro Document Viewer.

Aliases

  • Backdoor.Papi (Symantec)

Characteristics

Characteristics -

System Changes

Files Added

  • %SYSTEMDIR%\netlib32.dll
  • %SYSTEMDIR%\setups.bak
  • c:\documents and settings\all users\templates\wsws~6868.tmp
  • c:\documents and settings\%USER%\local settings\temp\b.bat

Registry

The following registry keys are created:

  • hkey_local_machine\system\currentcontrolset\services\capapi32
    errorcontrol="0"
    start="4"
    objectname="LocalSystem"
    deleteflag="1"
    displayname="CAPAPI32"
    imagepath="[path to binary]"
    type="16"

Symptoms

Symptoms -

Connects to 218.82.250.189 and listens at port 8080, to receive commands from a remote user.

Method of Infection

Method of Infection -

It is observed to be dropped by Exploit-TaroDrop that exploits a vulnerability in Ichitaro Document Viewer.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A