Content
BackDoor-DOM
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 04/18/2008
- Length
- Minimum DAT
- 5277 (04/18/2008)
- Updated DAT
- 5918 (03/12/2010)
- Minimum Engine
- 5.2.00
- Description Added
- 04/18/2008
- Description Modified
- 10/07/2008 2:10 AM (PT)
Tab Navigation
Characteristics
This detection is for a Backdoor remote access Trojan.
The Trojan is dropped by Backdoor-DOM.DR, a specially crafted PDF document that contains the Backdoor-DOM trojan embedded within.
UPCOMING_CONFERENCE_LIST.PDF (Backdoor-DOM.DR), When opened the PDF file causes vulnerable versions of the Adobe Acrobat Reader program to crash passing control to the trojan.
The trojan hooks the system by adding itself to:
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
The Trojan uses Microsoft sounding names like the following:
WIUPDATE.EXE
WINSRV.EXE
WINDOWS.HLP
AcroRD32.EXE
Typically dropped into the following directory c:\windows\system32
It also drops a temporary file which is then renamed to SVCHost.exe and injects itself into SERVICES.EXE. This is detected as Backdoor-DOM!MEM with an On Demand Scan if running in memory.
This opens connection to news.fei[removed]obe.com.
Symptoms
Presence of the aforementioned files or registry entries.
Method of Infection
Spammed PDF exploit.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This detection is for a Backdoor remote access Trojan.
The Trojan is dropped by Backdoor-DOM.DR, a specially crafted PDF document that contains the Backdoor-DOM trojan embedded within.
UPCOMING_CONFERENCE_LIST.PDF (Backdoor-DOM.DR), When opened the PDF file causes vulnerable versions of the Adobe Acrobat Reader program to crash passing control to the trojan.
The trojan hooks the system by adding itself to:
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
The Trojan uses Microsoft sounding names like the following:
WIUPDATE.EXE
WINSRV.EXE
WINDOWS.HLP
AcroRD32.EXE
Typically dropped into the following directory c:\windows\system32
It also drops a temporary file which is then renamed to SVCHost.exe and injects itself into SERVICES.EXE. This is detected as Backdoor-DOM!MEM with an On Demand Scan if running in memory.
This opens connection to news.fei[removed]obe.com.
Symptoms
Symptoms -
Presence of the aforementioned files or registry entries.
Method of Infection
Method of Infection -
Spammed PDF exploit.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
