McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

• MD5 - DC70B8332CA388119D24AEE308F8D35A
• SHA1 - B606003CCD07BC2A8B3BBB64575C611288E43D08

Aliases:

• Kaspersky - Trojan.Win32.Buzus.cqdp
• Microsoft - VirTool:Win32/VBInject.gen!DP
• TrendMicro - WORM_PALEVO.AP
• Ikarus - Trojan.Win32.Buzus

 

Characteristics

--------------Updated on August 11, 2010----------------------

File Information

• MD5  -  F5EBD99DB047D73A3C0E8B31B9E9BFC9
• SHA  - 3A1AC775A2CA451F28E81563FCD38DFA4F28F8A2

Aliases

• Ikarus        - Worm.Win32.Prolaco
• NOD32     - Win32/Merond.O
• Kaspersky - P2P-Worm.Win32.BlackControl.d
• Microsoft   - Worm:Win32/Prolaco.gen!C

When executed, the Trojan connects to the IP address 220.225.[Removed].85 through the remote port 53.

Upon execution, the Trojan drops the following files:

• %Appdata%\SystemProc\lsass.exe [Detected as W32/Routrobot.worm]
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

And also the Trojan copies itself into the following location:

• %WinDir%\system32\HPWuSchd8.exe [Hidden] [Detected as BackDoor-DOQ]

This Trojan also spreads by copying itself into the following shared folders of Peer-2-Peer Applications.

• %ProgramFiles%\LimeWire\Shared\
• %ProgramFiles%\Grokster\My Grokster\
• %ProgramFiles%\Morpheus\My Shared Folder\

The Trojan creates copies of itself in the above mentioned folders by enticing the following files:

• K-Lite Mega Codec v5.5.1.exe
• YouTubeGet 5.4.exe
• Windows 2008 Enterprise Server VMWare Virtual Machine.exe
• K-Lite Mega Codec v5.6.1 Portable.exe
• Adobe Photoshop CS4 crack.exe
• VmWare 7.0 keygen.exe
• WinRAR v3.x keygen RaZoR.exe
• Twitter FriendAdder 2.1.1.exe
• PDF Unlocker v2.0.3.exe
• Image Size Reducer Pro v1.0.1.exe
• Anti-Porn v13.5.12.29.exe
• Norton Internet Security 2010 crack.exe
• Kaspersky AntiVirus 2010 crack.exe
• PDF-XChange Pro.exe
• Windows 7 Ultimate keygen.exe
• RapidShare Killer AIO 2010.exe
• Ashampoo Snap 3.02.exe
• Blaze DVD Player Pro v6.52.exe
• Adobe Illustrator CS4 crack.exe
• Rapidshare Auto Downloader 3.8.exe
• Trojan Killer v2.9.4173.exe
• PDF to Word Converter 3.0.exe
• Google SketchUp 7.1 Pro.exe
• McAfee Total Protection 2010.exe
• Mp3 Splitter and Joiner Pro v3.48.exe
• Youtube Music Downloader 1.0.exe
• Adobe Acrobat Reader keygen.exe
• VmWare keygen.exe
• AnyDVD HD v.6.3.1.8 Beta incl crack.exe
• Ad-aware 2010.exe
• BitDefender AntiVirus 2010 Keygen.exe
• Norton Anti-Virus 2010 Enterprise Crack.exe
• Total Commander7 license+keygen.exe
• LimeWire Pro v4.18.3.exe
• Download Accelerator Plus v9.exe
• Internet Download Manager V5.exe
• Myspace theme collection.exe
• Nero 9 9.2.6.0 keygen.exe
• Motorola, nokia, ericsson mobil phone tools.exe
• Absolute Video Converter 6.2.exe
• Daemon Tools Pro 4.11.exe
• Download Boost 2.0.exe
• Avast 4.8 Professional.exe
• Grand Theft Auto IV (Offline Activation).exe
• Alcohol 120 v1.9.7.exe
• CleanMyPC Registry Cleaner v6.02.exe
• Super Utilities Pro 2009 11.0.exe
• Power ISO v4.2 + keygen axxo.exe
• G-Force Platinum v3.7.5.exe
• Divx Pro 7 + keymaker.exe
• Magic Video Converter 8 0 2 18.exe
• Sophos antivirus updater bypass.exe
• DVD Tools Nero 10.5.6.0.exe
• Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
• PDF password remover (works with all acrobat reader).exe
• Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
• Windows2008 keygen and activator.exe
• Tuneup Ultilities 2010.exe
• Kaspersky Internet Security 2010 keygen.exe
• Windows XP PRO Corp SP3 valid-key generator.exe
• Starcraft2 Patch v0.2.exe
• Starcraft2 keys.txt.exe
• Starcraft2 Crack.exe
• Starcraft2 Oblivion DLL.exe
• Starcraft2.exe

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\HP8
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
• HKEY_CURRENT_USER\S-1-(Varies)\Software\HP8

The following registry values have been added.

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “%WinDir%\System32\HPWuSchd8.exe” ="%WinDir%\System32\HPWuSchd8.exe:*:Enabled:Explorer"
• [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “RTHDBPL” = %Appdata%\SystemProc\lsass.exe
• [HKEY_CURRENT_USER\S-1-(Varies\Software\Microsoft\Windows\CurrentVersion\Run\]
  “HP Software Updater8” = "%WinDir%\System32\HPWuSchd8.exe"

The above mentioned registries ensure that, the malware binary registers itself with the compromised system and executes itself on every reboot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
  "EnableLUA" = "0x00000000"

The above regisstry entry confirms that, the Trojan disables the "administrator in Admin Approval Mode" user type.

The following registry values have been modified:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\]
   "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
   "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
  "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
  "Start:" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

Also, this Trojan injects its malicious code into svchost.exe and connects to the IP address 202.54.[Removed].60 through a remote port 53.

 [Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc,       %Appdata% is Application Data folder and %Programfiles% is C:\Program Files\.]

 

--------------Updated on August 06, 2010----------------------

• MD5 - ED8F4F1EA334E50F17DEEDA0155CFEDE
• Filesize - 143401 bytes

This backdoor provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the Trojan copies itself into the following location :

•  %System%\traymgr.exe  [Detected as Backdoor-DOQ]

 The following registry values are added to launch the trojan at system startup :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
   %System%\traymgr.exe H
• KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
   %System%\traymgr.exe

*Note: %System% is a variable that refers to the System folder. (C:\Windows\System32 (Windows XP))

Process Information :
Process running in the name of "Traymgr.exe" and this is also hooked on to several other processes such as csrss.exe and lsass.exe

 

Symptoms :
Connects to the below mentioned server

• legion014.com

Once the trojan connects to the server, a remote attacker can spam itself using instant messenger (MSN). With complete control over the compromised computer, a remote attacker can use it to execute further commands specified by attacker.

  ---------Updated on August 05, 2010----------------------

File Information

MD5 - 17751B2B8344EC0B790695C0A64E48E2 SHA - 8508CE2FF2A45EA3088D5EEF5E9FFE2C7BF761FA

Aliases

• AVG - BackDoor.Hupigon5.ANIX
• Ikarus - Trojan.Win32.Agent
• Kaspersky - Trojan.Win32.Agent.djvq
• Microsoft - Backdoor:Win32/Hupigon.XD

Upon execution, the Trojan copies itself into the following location:

• %Windir%\system32\traymgr.exe (Hidden) [Detected as BackDoor-DOQ]
• [Removable Drive]:\ice\fire\traymgr.exe (Hidden) [Detected as BackDoor-DOQ]

And drop the following files:

• [Removable Drive]:\auTORUN.inf (Hidden) %SYSTEMDRIVE%\ice\fire\Desktop.ini (Hidden)

The following folders have been added into the system:

• [Removable Drive]:\ice\fire

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

[autorun[ [autorun] open=ice\fire\traymgr.exe icon=%SystemRoot%\system32\SHELL32.dll,4 action=Open folder to view files UseAuTOPLAY=1 shell\\open\\command=ice\fire\traymgr.exe shell\\Explore\\Command=ice\fire\traymgr.exe

The following registry values have been added to the system.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “MicrosoftCorp” = "%Windir%\system32\traymgr.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “MicrosoftNAPC” = "%Windir%\system32\traymgr.exe"

The above mentioned registry ensures that, the worm registers itself with the compromised system and execute itself upon every boot.

A remote attacker can use the Trojan to perform various tasks:

Gather system information Run IRC commands (PING, NICK, NOTICE, JOIN)

When the user is compromised, the malware binary connect to the IRC channels. Once the malware connects to the IRC server, it can take complete control over the compromised computer. A remote attacker can use it to execute malicious commands.It would also join an IRC channel to receive the following commands from the attacker:

ddos.supersyn ddos.stop dl.start dl.stop update.start msn.spread msn.msg msn.stats msn.addcontact

This Trojan also connects to the following domain address:

• server.l[Removed]n014.com

To mark the presence in the system, the following Mutex object was created:

• 7C48xX92D

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)] 

--------------------------------------------------------------------------------------------------------

---------------------Updated on May 20, 2010--------------------------------

BackDoor-DOQ is a backdoor that allows unauthorized access and control of a compromised computer to the remote attacker. This malware then opens a backdoor server that allows other computers to connect to the compromised user and control it in from the remote.

When executed, the following registry entry was created:

• [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
• MSN: %WinDir%\system.exe"

The above mentioned registry entry confirms that the malware binary is executed every time the system boots.

When executed the malware binary connects to the following site using remote port 80.

• 1.justca[removed].info

          

When the user is compromised, the malware binary connect to the IRC channels. Once the malware connects to the IRC server, it can take complete control over the compromised computer. A remote attacker can use it to execute malicious commands.

When executed the malware binary copies itself to the following system location:

• %WinDir%\system.exe

This malware binary also monitors for removable drives. When a removable drive is inserted into any compromised system the malware spreads by copying itself into that removable media connected to the compromised system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

         

From the above screenshot, it’s clear that the malware copies itself to the removable drive in the following location.

• %RemovableDrive%\ SERVICES\SYSTEM\autorunme.exe
• %RemovableDrive%\AutORuN.inf

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files, %SystemDrive% = Driver in which the Operating System is installed mostly C:\, %RemovableDrive% = Removable drive inserted into the system

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

------------------------------------------------------------------------------------------------

When run, this backdoor Trojan deletes itself and creates a process called msile.exe. msile.exe establishes an outbound connection with a remote server using IRC as follows:

PASS h4xg4ng NICK [00-USA-XP-9714670] USER SP2-ojd, followed by the name of the computer

The Trojan drops msile.exe into %windir%\system\. msile.exe is detected under the same name, BackDoor-DOQ. In addition, the Trojan drops a sysdrv32.sys file into %windir%\system32\drivers\. This file is detected as Generic Rootkit.g. Here %windir% is the Windows directory, in most cases, C:\Windows.

The Trojan creates the following registry keys to install msile.exe and sysdrv32.sys as system services:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msile
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32

Symptoms

 

• Presence of the IRC connection mentioned above
• Presence of the files and registry keys mentioned above

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

• MD5 - DC70B8332CA388119D24AEE308F8D35A
• SHA1 - B606003CCD07BC2A8B3BBB64575C611288E43D08

Aliases:

• Kaspersky - Trojan.Win32.Buzus.cqdp
• Microsoft - VirTool:Win32/VBInject.gen!DP
• TrendMicro - WORM_PALEVO.AP
• Ikarus - Trojan.Win32.Buzus

 

Characteristics

Characteristics -

--------------Updated on August 11, 2010----------------------

File Information

• MD5  -  F5EBD99DB047D73A3C0E8B31B9E9BFC9
• SHA  - 3A1AC775A2CA451F28E81563FCD38DFA4F28F8A2

Aliases

• Ikarus        - Worm.Win32.Prolaco
• NOD32     - Win32/Merond.O
• Kaspersky - P2P-Worm.Win32.BlackControl.d
• Microsoft   - Worm:Win32/Prolaco.gen!C

When executed, the Trojan connects to the IP address 220.225.[Removed].85 through the remote port 53.

Upon execution, the Trojan drops the following files:

• %Appdata%\SystemProc\lsass.exe [Detected as W32/Routrobot.worm]
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
• %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

And also the Trojan copies itself into the following location:

• %WinDir%\system32\HPWuSchd8.exe [Hidden] [Detected as BackDoor-DOQ]

This Trojan also spreads by copying itself into the following shared folders of Peer-2-Peer Applications.

• %ProgramFiles%\LimeWire\Shared\
• %ProgramFiles%\Grokster\My Grokster\
• %ProgramFiles%\Morpheus\My Shared Folder\

The Trojan creates copies of itself in the above mentioned folders by enticing the following files:

• K-Lite Mega Codec v5.5.1.exe
• YouTubeGet 5.4.exe
• Windows 2008 Enterprise Server VMWare Virtual Machine.exe
• K-Lite Mega Codec v5.6.1 Portable.exe
• Adobe Photoshop CS4 crack.exe
• VmWare 7.0 keygen.exe
• WinRAR v3.x keygen RaZoR.exe
• Twitter FriendAdder 2.1.1.exe
• PDF Unlocker v2.0.3.exe
• Image Size Reducer Pro v1.0.1.exe
• Anti-Porn v13.5.12.29.exe
• Norton Internet Security 2010 crack.exe
• Kaspersky AntiVirus 2010 crack.exe
• PDF-XChange Pro.exe
• Windows 7 Ultimate keygen.exe
• RapidShare Killer AIO 2010.exe
• Ashampoo Snap 3.02.exe
• Blaze DVD Player Pro v6.52.exe
• Adobe Illustrator CS4 crack.exe
• Rapidshare Auto Downloader 3.8.exe
• Trojan Killer v2.9.4173.exe
• PDF to Word Converter 3.0.exe
• Google SketchUp 7.1 Pro.exe
• McAfee Total Protection 2010.exe
• Mp3 Splitter and Joiner Pro v3.48.exe
• Youtube Music Downloader 1.0.exe
• Adobe Acrobat Reader keygen.exe
• VmWare keygen.exe
• AnyDVD HD v.6.3.1.8 Beta incl crack.exe
• Ad-aware 2010.exe
• BitDefender AntiVirus 2010 Keygen.exe
• Norton Anti-Virus 2010 Enterprise Crack.exe
• Total Commander7 license+keygen.exe
• LimeWire Pro v4.18.3.exe
• Download Accelerator Plus v9.exe
• Internet Download Manager V5.exe
• Myspace theme collection.exe
• Nero 9 9.2.6.0 keygen.exe
• Motorola, nokia, ericsson mobil phone tools.exe
• Absolute Video Converter 6.2.exe
• Daemon Tools Pro 4.11.exe
• Download Boost 2.0.exe
• Avast 4.8 Professional.exe
• Grand Theft Auto IV (Offline Activation).exe
• Alcohol 120 v1.9.7.exe
• CleanMyPC Registry Cleaner v6.02.exe
• Super Utilities Pro 2009 11.0.exe
• Power ISO v4.2 + keygen axxo.exe
• G-Force Platinum v3.7.5.exe
• Divx Pro 7 + keymaker.exe
• Magic Video Converter 8 0 2 18.exe
• Sophos antivirus updater bypass.exe
• DVD Tools Nero 10.5.6.0.exe
• Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
• PDF password remover (works with all acrobat reader).exe
• Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
• Windows2008 keygen and activator.exe
• Tuneup Ultilities 2010.exe
• Kaspersky Internet Security 2010 keygen.exe
• Windows XP PRO Corp SP3 valid-key generator.exe
• Starcraft2 Patch v0.2.exe
• Starcraft2 keys.txt.exe
• Starcraft2 Crack.exe
• Starcraft2 Oblivion DLL.exe
• Starcraft2.exe

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\HP8
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
• HKEY_CURRENT_USER\S-1-(Varies)\Software\HP8

The following registry values have been added.

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  “%WinDir%\System32\HPWuSchd8.exe” ="%WinDir%\System32\HPWuSchd8.exe:*:Enabled:Explorer"
• [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “RTHDBPL” = %Appdata%\SystemProc\lsass.exe
• [HKEY_CURRENT_USER\S-1-(Varies\Software\Microsoft\Windows\CurrentVersion\Run\]
  “HP Software Updater8” = "%WinDir%\System32\HPWuSchd8.exe"

The above mentioned registries ensure that, the malware binary registers itself with the compromised system and executes itself on every reboot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
  "EnableLUA" = "0x00000000"

The above regisstry entry confirms that, the Trojan disables the "administrator in Admin Approval Mode" user type.

The following registry values have been modified:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\]
   "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
   "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
  "Start:" = "0x00000004"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
  "Start:" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

Also, this Trojan injects its malicious code into svchost.exe and connects to the IP address 202.54.[Removed].60 through a remote port 53.

 [Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc,       %Appdata% is Application Data folder and %Programfiles% is C:\Program Files\.]

 

--------------Updated on August 06, 2010----------------------

• MD5 - ED8F4F1EA334E50F17DEEDA0155CFEDE
• Filesize - 143401 bytes

This backdoor provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.

Upon execution, the Trojan copies itself into the following location :

•  %System%\traymgr.exe  [Detected as Backdoor-DOQ]

 The following registry values are added to launch the trojan at system startup :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "MicrosoftCorp"
   %System%\traymgr.exe H
• KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftNAPC"
   %System%\traymgr.exe

*Note: %System% is a variable that refers to the System folder. (C:\Windows\System32 (Windows XP))

Process Information :
Process running in the name of "Traymgr.exe" and this is also hooked on to several other processes such as csrss.exe and lsass.exe

 

Symptoms :
Connects to the below mentioned server

• legion014.com

Once the trojan connects to the server, a remote attacker can spam itself using instant messenger (MSN). With complete control over the compromised computer, a remote attacker can use it to execute further commands specified by attacker.

  ---------Updated on August 05, 2010----------------------

File Information

MD5 - 17751B2B8344EC0B790695C0A64E48E2 SHA - 8508CE2FF2A45EA3088D5EEF5E9FFE2C7BF761FA

Aliases

• AVG - BackDoor.Hupigon5.ANIX
• Ikarus - Trojan.Win32.Agent
• Kaspersky - Trojan.Win32.Agent.djvq
• Microsoft - Backdoor:Win32/Hupigon.XD

Upon execution, the Trojan copies itself into the following location:

• %Windir%\system32\traymgr.exe (Hidden) [Detected as BackDoor-DOQ]
• [Removable Drive]:\ice\fire\traymgr.exe (Hidden) [Detected as BackDoor-DOQ]

And drop the following files:

• [Removable Drive]:\auTORUN.inf (Hidden) %SYSTEMDRIVE%\ice\fire\Desktop.ini (Hidden)

The following folders have been added into the system:

• [Removable Drive]:\ice\fire

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

[autorun[ [autorun] open=ice\fire\traymgr.exe icon=%SystemRoot%\system32\SHELL32.dll,4 action=Open folder to view files UseAuTOPLAY=1 shell\\open\\command=ice\fire\traymgr.exe shell\\Explore\\Command=ice\fire\traymgr.exe

The following registry values have been added to the system.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “MicrosoftCorp” = "%Windir%\system32\traymgr.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “MicrosoftNAPC” = "%Windir%\system32\traymgr.exe"

The above mentioned registry ensures that, the worm registers itself with the compromised system and execute itself upon every boot.

A remote attacker can use the Trojan to perform various tasks:

Gather system information Run IRC commands (PING, NICK, NOTICE, JOIN)

When the user is compromised, the malware binary connect to the IRC channels. Once the malware connects to the IRC server, it can take complete control over the compromised computer. A remote attacker can use it to execute malicious commands.It would also join an IRC channel to receive the following commands from the attacker:

ddos.supersyn ddos.stop dl.start dl.stop update.start msn.spread msn.msg msn.stats msn.addcontact

This Trojan also connects to the following domain address:

• server.l[Removed]n014.com

To mark the presence in the system, the following Mutex object was created:

• 7C48xX92D

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)] 

--------------------------------------------------------------------------------------------------------

---------------------Updated on May 20, 2010--------------------------------

BackDoor-DOQ is a backdoor that allows unauthorized access and control of a compromised computer to the remote attacker. This malware then opens a backdoor server that allows other computers to connect to the compromised user and control it in from the remote.

When executed, the following registry entry was created:

• [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
• MSN: %WinDir%\system.exe"

The above mentioned registry entry confirms that the malware binary is executed every time the system boots.

When executed the malware binary connects to the following site using remote port 80.

• 1.justca[removed].info

          

When the user is compromised, the malware binary connect to the IRC channels. Once the malware connects to the IRC server, it can take complete control over the compromised computer. A remote attacker can use it to execute malicious commands.

When executed the malware binary copies itself to the following system location:

• %WinDir%\system.exe

This malware binary also monitors for removable drives. When a removable drive is inserted into any compromised system the malware spreads by copying itself into that removable media connected to the compromised system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

         

From the above screenshot, it’s clear that the malware copies itself to the removable drive in the following location.

• %RemovableDrive%\ SERVICES\SYSTEM\autorunme.exe
• %RemovableDrive%\AutORuN.inf

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files, %SystemDrive% = Driver in which the Operating System is installed mostly C:\, %RemovableDrive% = Removable drive inserted into the system

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

------------------------------------------------------------------------------------------------

When run, this backdoor Trojan deletes itself and creates a process called msile.exe. msile.exe establishes an outbound connection with a remote server using IRC as follows:

PASS h4xg4ng NICK [00-USA-XP-9714670] USER SP2-ojd, followed by the name of the computer

The Trojan drops msile.exe into %windir%\system\. msile.exe is detected under the same name, BackDoor-DOQ. In addition, the Trojan drops a sysdrv32.sys file into %windir%\system32\drivers\. This file is detected as Generic Rootkit.g. Here %windir% is the Windows directory, in most cases, C:\Windows.

The Trojan creates the following registry keys to install msile.exe and sysdrv32.sys as system services:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msile
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32

Symptoms

Symptoms -

 

• Presence of the IRC connection mentioned above
• Presence of the files and registry keys mentioned above

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A