McAfee > Theat Center > Virus Detail Page

Overview

-- Update: April 6, 2007 ---

The most recent variant is downloaded by BacDoor-DKI.dldr trojan which is embedded in a crafted JustSystem Ichitaro document with a zero-day vulnerability (Exploit-TaroDrop trojan).

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

Characteristics

-- Update: April 6, 2007 ---

Upon execution, the trojan drops itself the following file.

• %Windir%\System32\com.exe

It also adds the following registry key.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{04F4BA85-A3C7-4235-0200-060204060705}
   "StubPath"  = %Windir%\System32\com.exe             

The trojan connects the following site.

• nimabi.servebeer.com

-----------------------------------------------------

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

On execution variants of this trojan create a copy of themselves in %SystemDir% with names such as:

• scvchost.exe
• ServPro.exe
• winhelp.ex

To activate on every reboot, trojan variants register themselves under the following registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

It creates a mutex with the name ")!VoqA.I4"

The trojan logs keystrokes on the infected machine and stores it in a file. Though the file name and location may vary between different variants, some of the variants are known to store it as %systemdir%\scvchost

It also writes into the memory of explorer.exe process which causes it to spawn iexplore.exe process which opens up a backdoor to accept commands and send the stolen information. It may try to connect to one of the following

• waigua88812.3322.org
• lovequintet.com
• just4try.no-ip.org

Symptoms

• existence of mentioned file(s) and registry key(s)
• connections to the mentioned remote hosts

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update: April 6, 2007 ---

The most recent variant is downloaded by BacDoor-DKI.dldr trojan which is embedded in a crafted JustSystem Ichitaro document with a zero-day vulnerability (Exploit-TaroDrop trojan).

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

Characteristics

Characteristics -

-- Update: April 6, 2007 ---

Upon execution, the trojan drops itself the following file.

• %Windir%\System32\com.exe

It also adds the following registry key.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{04F4BA85-A3C7-4235-0200-060204060705}
   "StubPath"  = %Windir%\System32\com.exe             

The trojan connects the following site.

• nimabi.servebeer.com

-----------------------------------------------------

BackDoor-DKI trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. This trojan spawns an iexplore.exe process which is responsible for opening the backdoor.

On execution variants of this trojan create a copy of themselves in %SystemDir% with names such as:

• scvchost.exe
• ServPro.exe
• winhelp.ex

To activate on every reboot, trojan variants register themselves under the following registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

It creates a mutex with the name ")!VoqA.I4"

The trojan logs keystrokes on the infected machine and stores it in a file. Though the file name and location may vary between different variants, some of the variants are known to store it as %systemdir%\scvchost

It also writes into the memory of explorer.exe process which causes it to spawn iexplore.exe process which opens up a backdoor to accept commands and send the stolen information. It may try to connect to one of the following

• waigua88812.3322.org
• lovequintet.com
• just4try.no-ip.org

Symptoms

Symptoms -

• existence of mentioned file(s) and registry key(s)
• connections to the mentioned remote hosts

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A