Content

BackDoor-Icug

Type
Trojan
SubType
Remote Access
Discovery Date
06/19/2007
Length
Varies
Minimum DAT
5056 (06/19/2007)
Updated DAT
5076 (07/17/2007)
Minimum Engine
5.1.00
Description Added
06/19/2007
Description Modified
06/19/2007 4:34 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When this BackDoor Trojan is executed, it drops the following files:

  • %Temp%\clean_[random name].dll
  • %ProgramFiles%\Microsoft Shared\Web Folders\ibm00001.dll
  • %ProgramFiles%\Microsoft Shared\Web Folders\ibm00002.dll

The BackDoor then injects itself into all running process and creates a service named "NtmlSvc".

Given below are the modified registry entries for the created service:

  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Image Path"
    Data: %SystemRoot%\System32\svchost.exe -k netsvcs
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Start"
    Data: 02
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Type"
    Data: 10
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc\Parameters "ServiceDll"
    Data: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

Note:

  • In an attempt to make the downloaded files harder to find, the files have their attributes changed to hidden and system
  • %ProgramFiles% and %Temp% are variable locations which refer to the program files folder and the
    temproary files folder respectively

Symptoms

Presence of files and registry entries mentioned are a good symptom of being infected by this BackDoor.

Method of Infection

This BackDoor Trojan is downloaded by Downloader-Icug. It does not self-replicate.

It could spread manually, however, under the premise that the executable is something beneficial. The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a BackDoor Trojan, which gets downloaded by Downloader-Icug.

The characteristics of this Trojan with regards to file names, folders created etc will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Characteristics

Characteristics -

When this BackDoor Trojan is executed, it drops the following files:

  • %Temp%\clean_[random name].dll
  • %ProgramFiles%\Microsoft Shared\Web Folders\ibm00001.dll
  • %ProgramFiles%\Microsoft Shared\Web Folders\ibm00002.dll

The BackDoor then injects itself into all running process and creates a service named "NtmlSvc".

Given below are the modified registry entries for the created service:

  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Image Path"
    Data: %SystemRoot%\System32\svchost.exe -k netsvcs
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Start"
    Data: 02
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc "Type"
    Data: 10
  • Hkey_Local_Machine\System\ControlSet001\Services\NtmlSvc\Parameters "ServiceDll"
    Data: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

Note:

  • In an attempt to make the downloaded files harder to find, the files have their attributes changed to hidden and system
  • %ProgramFiles% and %Temp% are variable locations which refer to the program files folder and the
    temproary files folder respectively

Symptoms

Symptoms -

Presence of files and registry entries mentioned are a good symptom of being infected by this BackDoor.

Method of Infection

Method of Infection -

This BackDoor Trojan is downloaded by Downloader-Icug. It does not self-replicate.

It could spread manually, however, under the premise that the executable is something beneficial. The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A