McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

BackDoor-DLY is usually dropped by MultiDropper-JD, which is detected proactively in 4410 DATs since November 24, 2004. When run, the following components are installed:

• %Windir%\cmflpr32.dll (BackDoor-DLY)
• %Windir%\drmclient32.dll (BackDoor-DLY)
• %Windir%\iasrecst.exe (MultiDropper-JD)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The following registry keys are also created to hook the malware to system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft Keyboard Enhance V2.0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Keyboard Enhance V2.0
  

This trojan can be used to remotely control the victim machine, as part of a malicious command and control network. When installed, it contacts a server using a series of domain names believed to be part of a fast flux network:

• http://{blocked}.imergeyou.com/{blocked}/weby6/settings.ini
• http://{blocked}.ifeelyou.info/{blocked}/weby6/remote.php
• http://{blocked}.iconnectyou.biz/{blocked}/weby6/settings.ini
• http://{blocked}.imergeyou.com/{blocked}/weby6/settings.ini
• http://{blocked}.ifeelyou.info/{blocked}/weby6/settings.ini
• http://{blocked}.boomlance.com/{blocked}/weby6/settings.ini

Domain names of a fast flux network can rapidly change. At the time of writing, the IP address(es) resolved to these domain names do not host the settings.ini. Such networks are often associated with phishing and spamming.

BackDoor-DLY  also attempts multiple connections to www.google.com to test for Internet connection availability.

Symptoms

• Presence of the mentioned files and registry keys.
• Unexpected connections to the mentioned domain name(s).

Method of Infection

This trojan is most likely installed on the victim machine via a downloader, or through a web exploit targeting Internet Explorer vulnerabilities.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

BackDoor-DLY is usually dropped by MultiDropper-JD, which is detected proactively in 4410 DATs since November 24, 2004. When run, the following components are installed:

• %Windir%\cmflpr32.dll (BackDoor-DLY)
• %Windir%\drmclient32.dll (BackDoor-DLY)
• %Windir%\iasrecst.exe (MultiDropper-JD)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The following registry keys are also created to hook the malware to system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft Keyboard Enhance V2.0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Keyboard Enhance V2.0
  

This trojan can be used to remotely control the victim machine, as part of a malicious command and control network. When installed, it contacts a server using a series of domain names believed to be part of a fast flux network:

• http://{blocked}.imergeyou.com/{blocked}/weby6/settings.ini
• http://{blocked}.ifeelyou.info/{blocked}/weby6/remote.php
• http://{blocked}.iconnectyou.biz/{blocked}/weby6/settings.ini
• http://{blocked}.imergeyou.com/{blocked}/weby6/settings.ini
• http://{blocked}.ifeelyou.info/{blocked}/weby6/settings.ini
• http://{blocked}.boomlance.com/{blocked}/weby6/settings.ini

Domain names of a fast flux network can rapidly change. At the time of writing, the IP address(es) resolved to these domain names do not host the settings.ini. Such networks are often associated with phishing and spamming.

BackDoor-DLY  also attempts multiple connections to www.google.com to test for Internet connection availability.

Symptoms

Symptoms -

• Presence of the mentioned files and registry keys.
• Unexpected connections to the mentioned domain name(s).

Method of Infection

Method of Infection -

This trojan is most likely installed on the victim machine via a downloader, or through a web exploit targeting Internet Explorer vulnerabilities.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A