Content

BackDoor-DNW

Type
Trojan
SubType
Remote Access
Discovery Date
03/20/2008
Length
Varies
Minimum DAT
5256 (03/20/2008)
Updated DAT
5634 (06/02/2009)
Minimum Engine
5.2.00
Description Added
03/20/2008
Description Modified
03/15/2009 11:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the trojan drops following files:

  • %Systemdir%\WudfSvc.exe (Backdoor-DNW trojan)
  • %Systemdir%\fixmapi.dll (Backdoor-DNW trojan)
  • %Systemdir%\MSIMM.dll (Backdoor-DNW trojan)

The following registry key is modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "WudfSvc" = "%Systemdir%\WudfSvc.exe"

It connects the following site and sends system information including computer name and OS version.

  • [removed].lightsut.com
  • port : 80

Then the trojan opens a backdoor. Backdoor has the following functions:

  • list files
  • provide remote shell (cmd.exe)
  • run programs

Symptoms

  • Existence of the Registry key described above
  • Outgoing traffic to the host [removed].lightsut.com port:80

Method of Infection

Backdoor-DNW is dropped by Expolit-TaroDrop.g trojan.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

BackDoor-DNW trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine. The trojan is dropped by Exploit-TaroDrop.g, which exploits a vulnerability in JustSystem Ichitaro.

Characteristics

Characteristics -

Upon execution, the trojan drops following files:

  • %Systemdir%\WudfSvc.exe (Backdoor-DNW trojan)
  • %Systemdir%\fixmapi.dll (Backdoor-DNW trojan)
  • %Systemdir%\MSIMM.dll (Backdoor-DNW trojan)

The following registry key is modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "WudfSvc" = "%Systemdir%\WudfSvc.exe"

It connects the following site and sends system information including computer name and OS version.

  • [removed].lightsut.com
  • port : 80

Then the trojan opens a backdoor. Backdoor has the following functions:

  • list files
  • provide remote shell (cmd.exe)
  • run programs

Symptoms

Symptoms -

  • Existence of the Registry key described above
  • Outgoing traffic to the host [removed].lightsut.com port:80

Method of Infection

Method of Infection -

Backdoor-DNW is dropped by Expolit-TaroDrop.g trojan.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A