Content

BackDoor-CEP!49F90C24

Type
Trojan
SubType
-
Discovery Date
06/07/2008
Length
86528
Minimum DAT
5312 (06/06/2008)
Updated DAT
5312 (06/06/2008)
Minimum Engine
5.2.00
Description Added
06/07/2008
Description Modified
06/07/2008 6:32 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Namepostcard.exe
McAfee DetectionBackDoor-CEP
Length86,528 bytes
CRC3249F90C24
MD5a67d9ebe9bbef223b8ab6e1720aa4516
SHA1CFDB7E0721F68632DA13B865E4D302AAA3D39F4E

Other Common Detection Aliases

Company NameDetection Name
AhnLabWin-Trojan/Inject.30208.C
AVG (GriSoft)Downloader.Generic7.RIC
AviraDR/Delphi.Gen
BitDefenderTrojan.Delf.Inject.F
FortiNetW32/Basine.C!tr.dldr
F-ProtW32/Downldr2.BXHT
KasperskyTrojan-Downloader.Win32.Injecter.ga
Microsoftvirtool:win32/delfinject.gen!i
NormanW32/DLoader.HNGO
RisingTrojan.DL.Win32.Agent.bxw
SophosMal/Basine-C
SymantecW32.Saros@mm
Trend MicroTROJ_INJECTER.DD
Vet (Computer Associates)
Win32/Bifrost.EN

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Enumerates running Processes
Medium
Creates Registry Keys and Data values persistent on OS Reboot
Low
Enumerates open windows
Low
Writes Executable in the Windows Folder
Low

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\system32\ali.exe
BackDoor-CEP

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\bhookpl.dll
    • %WINDIR%\system32\ali.exe

        • The following registry elements have been created:

      • HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{b6a807n6-42df-4w02-93e5-b156b3fa8al1}\
        • stubpath = c:\windows\system32\ali.exe

        • The following registry elements have been changed:

      • HKEY_CURRENT_USER\software\microsoft\
        • remove = 28257
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\
        • bnhide = 3572|ali.exe|andk|443|x|
        • ofk = 49
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
        • andk = c:\windows\system32\ali.exe
      • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\
        • *andk = c:\windows\system32\ali.exe

        • The applications created the following network connection(s):

      • www.sex.com port (80) Protocol (http)
        • hxxp://www.sex.com /************

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Namepostcard.exe
        McAfee DetectionBackDoor-CEP
        Length86,528 bytes
        CRC3249F90C24
        MD5a67d9ebe9bbef223b8ab6e1720aa4516
        SHA1CFDB7E0721F68632DA13B865E4D302AAA3D39F4E

        Other Common Detection Aliases

        Company NameDetection Name
        AhnLabWin-Trojan/Inject.30208.C
        AVG (GriSoft)Downloader.Generic7.RIC
        AviraDR/Delphi.Gen
        BitDefenderTrojan.Delf.Inject.F
        FortiNetW32/Basine.C!tr.dldr
        F-ProtW32/Downldr2.BXHT
        KasperskyTrojan-Downloader.Win32.Injecter.ga
        Microsoftvirtool:win32/delfinject.gen!i
        NormanW32/DLoader.HNGO
        RisingTrojan.DL.Win32.Agent.bxw
        SophosMal/Basine-C
        SymantecW32.Saros@mm
        Trend MicroTROJ_INJECTER.DD
        Vet (Computer Associates)
        		Win32/Bifrost.EN

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Enumerates running Processes
        		Medium
        Creates Registry Keys and Data values persistent on OS Reboot
        		Low
        Enumerates open windows
        		Low
        Writes Executable in the Windows Folder
        		Low

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\system32\ali.exe
        		BackDoor-CEP

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\bhookpl.dll
        • %WINDIR%\system32\ali.exe

            • The following registry elements have been created:

          • HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{b6a807n6-42df-4w02-93e5-b156b3fa8al1}\
            • stubpath = c:\windows\system32\ali.exe

            • The following registry elements have been changed:

          • HKEY_CURRENT_USER\software\microsoft\
            • remove = 28257
          • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\
            • bnhide = 3572|ali.exe|andk|443|x|
            • ofk = 49
          • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
            • andk = c:\windows\system32\ali.exe
          • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\
            • *andk = c:\windows\system32\ali.exe

            • The applications created the following network connection(s):

          • www.sex.com port (80) Protocol (http)
            • hxxp://www.sex.com /************

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A