Content

BackDoor-CWA.dr

Type
Trojan
SubType
Dropper
Discovery Date
09/25/2006
Length
Varies
Minimum DAT
4859 (09/25/2006)
Updated DAT
5364 (08/19/2008)
Minimum Engine
5.1.00
Description Added
09/25/2006
Description Modified
12/27/2006 11:14 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Updated December 27th, 2006:
BackDoor-CWA.dr has been deemed Low-Profiled due to media attention at http://www.informationweek.com/security/showArticle.jhtml?articleID=196702154

--- Updated December 24th, 2006:
A recent variant of BackDoor-CWA.dr was discovered in the wild with the filename Christmas+Blessing-4.ppt (1,085,440 bytes). This file attempts to exploit the (MS06-012) Microsoft Office Malformed Routing Slip vulnerability.
---

The dropper has been seen in several forms. One consists of a plain executable file. The other category includes PowerPoint (*.ppt) or Access database (*.mdb) files containing exploit and/or shell code to install BackDoor-CWA when opened.

The PowerPoint and Access documents encountered to date appear to pose as, or are derived from, presentations or database forms relating to the US Department of Defense (generally involving clerical or human resources issues). It is unclear whether this was intended as a targeted social engineering effort to achieve installations of BackDoor-CWA on computers within the US DoD, although that is a possibility.

The following are examples of some files encountered:

  • BenefitsEntitlements.ppt (109,568 bytes, MD5: 80DF44C785D821F51C686E547463824A)
  • AWMA2006brief.ppt (482,304 bytes, MD5: 43F54D65F885A2EBD2C11FC350ADDEB0)
  • AKO CAC Briefing Consolidated.ppt (87,040 bytes, MD5: 6D4282ECB877E7A2C6DD05371B2DB4BF)
  • NEW4836.mdb (289,309 bytes, MD5: 8ADFEEFD3AFFF8533F1ACE152E448224)
  • [name varies].exe (35,357 bytes, MD5: CC79DE8C4374BCF4958D91A53C40C035)

Symptoms

The presence of any of the files or system changes listed in the BackDoor-CWA description may indicate that the dropper is or has been present on the system.

Method of Infection

Infection occurs when the user runs the executable or opens the Trojan document file containing BackDoor-CWA with the appropriate Office application.  In the case of Office documents, an exploit (e.g. Exploit-PPT.d) possibly assisted with shell code appear to be used to achieve infection of the host system.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

This detection covers the droppers or installers for BackDoor-CWA

Characteristics

Characteristics -

--- Updated December 27th, 2006:
BackDoor-CWA.dr has been deemed Low-Profiled due to media attention at http://www.informationweek.com/security/showArticle.jhtml?articleID=196702154

--- Updated December 24th, 2006:
A recent variant of BackDoor-CWA.dr was discovered in the wild with the filename Christmas+Blessing-4.ppt (1,085,440 bytes). This file attempts to exploit the (MS06-012) Microsoft Office Malformed Routing Slip vulnerability.
---

The dropper has been seen in several forms. One consists of a plain executable file. The other category includes PowerPoint (*.ppt) or Access database (*.mdb) files containing exploit and/or shell code to install BackDoor-CWA when opened.

The PowerPoint and Access documents encountered to date appear to pose as, or are derived from, presentations or database forms relating to the US Department of Defense (generally involving clerical or human resources issues). It is unclear whether this was intended as a targeted social engineering effort to achieve installations of BackDoor-CWA on computers within the US DoD, although that is a possibility.

The following are examples of some files encountered:

  • BenefitsEntitlements.ppt (109,568 bytes, MD5: 80DF44C785D821F51C686E547463824A)
  • AWMA2006brief.ppt (482,304 bytes, MD5: 43F54D65F885A2EBD2C11FC350ADDEB0)
  • AKO CAC Briefing Consolidated.ppt (87,040 bytes, MD5: 6D4282ECB877E7A2C6DD05371B2DB4BF)
  • NEW4836.mdb (289,309 bytes, MD5: 8ADFEEFD3AFFF8533F1ACE152E448224)
  • [name varies].exe (35,357 bytes, MD5: CC79DE8C4374BCF4958D91A53C40C035)

Symptoms

Symptoms -

The presence of any of the files or system changes listed in the BackDoor-CWA description may indicate that the dropper is or has been present on the system.

Method of Infection

Method of Infection -

Infection occurs when the user runs the executable or opens the Trojan document file containing BackDoor-CWA with the appropriate Office application.  In the case of Office documents, an exploit (e.g. Exploit-PPT.d) possibly assisted with shell code appear to be used to achieve infection of the host system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A