Content

BackDoor-DOE

Type
Trojan
SubType
Remote Access
Discovery Date
03/31/2008
Length
Varies
Minimum DAT
5264 (04/01/2008)
Updated DAT
5264 (04/01/2008)
Minimum Engine
5.1.00
Description Added
03/31/2008
Description Modified
03/31/2008 2:45 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan is known to have been used in a targeted attack involving a patched Microsoft Excel vulnerability.

Upon opening the malicious Microsoft Excel spreadsheet, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location(s):

  • X:\Recycled\IO.COM
  • X:\IO.COM

(Where X: is the Windows system drive letter; e.g. C:)

The following registry key(s) are created to hook the trojan to system start-up:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "IMJPMIG" = "c:\recycler\IO.COM"

It follows that the trojan drop and install the following file(s):

  • X:\Documents and Settings\<USER>\User16.dll (BackDoor-DOE.dll)
  • X:\Documents and Settings\<USER>\Zipdg.dll (encrypted data file)

(Where <USER>is the current logged in user.)

The BackDoor-DOE.dll component (User16.dll) may be injected and executed in arbitrary running process(es).

It then communicate HTTP information to at least the following domain(s):

  • {blocked}.vicp.net
  • {blocked}.vicp.net
  • 85.114.{blocked}

It can also attempt to disable security configurations for the following security product(s).

  • Kaspersky
  • Symantec
  • McAfee
  • Trend Micro
  • BitDefender

 

Symptoms

  • Presence of files/registry keys mentioned.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected disabling of security product features.

Method of Infection

This trojan is known to have been installed by exploiting a patched Microsoft Excel vulnerability.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This trojan is known to have been used in a targeted attack involving a patched Microsoft Excel vulnerability. Backdoor trojans provide an attacker with a means to instruct an infected computer to take certain actions.

 

Characteristics

Characteristics -

This trojan is known to have been used in a targeted attack involving a patched Microsoft Excel vulnerability.

Upon opening the malicious Microsoft Excel spreadsheet, an embedded Windows Portable Executable (PE) file may be saved onto the victim machine at the following location(s):

  • X:\Recycled\IO.COM
  • X:\IO.COM

(Where X: is the Windows system drive letter; e.g. C:)

The following registry key(s) are created to hook the trojan to system start-up:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "IMJPMIG" = "c:\recycler\IO.COM"

It follows that the trojan drop and install the following file(s):

  • X:\Documents and Settings\<USER>\User16.dll (BackDoor-DOE.dll)
  • X:\Documents and Settings\<USER>\Zipdg.dll (encrypted data file)

(Where <USER>is the current logged in user.)

The BackDoor-DOE.dll component (User16.dll) may be injected and executed in arbitrary running process(es).

It then communicate HTTP information to at least the following domain(s):

  • {blocked}.vicp.net
  • {blocked}.vicp.net
  • 85.114.{blocked}

It can also attempt to disable security configurations for the following security product(s).

  • Kaspersky
  • Symantec
  • McAfee
  • Trend Micro
  • BitDefender

 

Symptoms

Symptoms -

  • Presence of files/registry keys mentioned.
  • Unexpected network connections to the mentioned site(s).
  • Unexpected disabling of security product features.

Method of Infection

Method of Infection -

This trojan is known to have been installed by exploiting a patched Microsoft Excel vulnerability.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A