Content
BackDoor-DNM
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 02/21/2008
- Length
- varies
- Minimum DAT
- 5235 (02/21/2008)
- Updated DAT
- 5809 (11/21/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 02/21/2008
- Description Modified
- 09/16/2008 8:04 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
--- Update April 04, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at
http://www.darkreading.com/document.asp?doc_id=150052
Upon execution, this trojan copies itself into the %System32% folder as "CbEvtSvc.exe"
It then launches the new executable as a new system service.
Files Added
%system32%\CbEvtSvc.exe
Registry entries added
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC "NextInstance"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Class"
Data: LegacyDriver - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ClassGUID"
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1} - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ConfigFlags"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "DeviceDesc"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Legacy"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Service" Data: CbEvtSvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "*NewlyCreated*"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "ActiveService"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "DisplayName"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ErrorControl"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ImagePath"
Data: %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ObjectName"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Opt"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Start"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Type"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "0"
Data: Root\LEGACY_CBEVTSVC\0000 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "Count"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "NextInstance"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security "Security"
After a long duration (~30 mins), this trojan downloads additional malware programs form different websites.
- http://digitaltreath.info/a[REMOVED].exe
- http://207.10.234.217/ldrctl/user/2[REMOVED].exe
- http://digitaltreath.info/d[REMOVED].exe
Symptoms
- Presence of files and registry entries mentioned.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
--- Update April 04, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at
http://www.darkreading.com/document.asp?doc_id=150052
This detection is for a BackDoor trojan, that installs itself as a system service. This trojan also downloads additional malware programs from different websites.
Aliases
- Trojan-Downloader.Win32.Agent.ljx (F-Secure)
- Trojan-Downloader.Win32.Agent.ljx (Kaspersky)
- Win32/Agent.ETH (Nod32)
- WORM_NUCRP.GEN (Trend Micro)
Characteristics
Characteristics -
--- Update April 04, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at
http://www.darkreading.com/document.asp?doc_id=150052
Upon execution, this trojan copies itself into the %System32% folder as "CbEvtSvc.exe"
It then launches the new executable as a new system service.
Files Added
%system32%\CbEvtSvc.exe
Registry entries added
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC "NextInstance"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Class"
Data: LegacyDriver - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ClassGUID"
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1} - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ConfigFlags"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "DeviceDesc"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Legacy"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Service" Data: CbEvtSvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "*NewlyCreated*"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "ActiveService"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "DisplayName"
Data: CbEvtSvc - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ErrorControl"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ImagePath"
Data: %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ObjectName"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Opt"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Start"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Type"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "0"
Data: Root\LEGACY_CBEVTSVC\0000 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "Count"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "NextInstance"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security "Security"
After a long duration (~30 mins), this trojan downloads additional malware programs form different websites.
- http://digitaltreath.info/a[REMOVED].exe
- http://207.10.234.217/ldrctl/user/2[REMOVED].exe
- http://digitaltreath.info/d[REMOVED].exe
Symptoms
Symptoms -
- Presence of files and registry entries mentioned.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
