Content

BackDoor-DKA!B4853915

Type
Trojan
SubType
-
Discovery Date
06/12/2008
Length
17151
Minimum DAT
5316 (06/12/2008)
Updated DAT
5316 (06/12/2008)
Minimum Engine
5.2.00
Description Added
06/12/2008
Description Modified
06/12/2008 1:50 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Name!itw#198.exe
McAfee DetectionBackDoor-DKA
Length17,151 bytes
CRC32B4853915
MD570a1b2053067a709ea085d52015d43ed
SHA1D999A905144C4FAEA96FC2CFCD3D1F0B4FD2FBDD

Other Common Detection Aliases

Company NameDetection Name
AhnLabWin-Trojan/Popwin.17151
AvastWin32:Trojan-gen {Other}
AVG (GriSoft)Dropper.Generic.UIR
AviraWorm/Winko.I.57
BitDefenderWin32.Worm.Winko.I
ClamAVPUA.Packed.UPack-2
Dr.WebTrojan.Popwin
EMSI SoftwareWorm.Win32.AutoRun.bsz
eSafe (Alladin)Win32.AutoRun.bsz
FortiNetW32/AutoRun.BTQ!worm
F-ProtW32/Worm.NMI (damaged)
KasperskyWorm.Win32.AutoRun.bsz
Microsoftbackdoor:win32/popwin.b
Normanw32/smalldoor.azcz
PandaW32/Lineage.HBO.worm
RisingWorm.Win32.Agent.zjk
SophosMal/Behav-010
SymantecTrojan Horse
Trend MicroWORM_AUTORUN.WU
Vba32Worm.Win32.AutoRun.bsz
V-BusterWorm.AutoRun.AXR
Vet (Computer Associates)
Win32/Pipown!generic

Avert® Labs has observed the following system activities:

ActivityRisk Level
Enumerates running Processes
Medium
Enumerates open windows
Low
Writes Executable in the Windows Folder
Low
Program often suspends itself
Informational

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\system32\66905896.exe
BackDoor-DKA

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\system32\66905896.exe
    • %WINDIR%\system32\c2f62ca4.dll

        • The following registry elements have been created:

      • HKEY_CURRENT_USER\system\currentcontrolset\services\542a8dab\
        • description = c2f62ca4
        • displayname = 542a8dab
        • imagepath = c:\windows\system32\66905896.exe -k
        • objectname = localsystem
      • hkey_users\.default\system\currentcontrolset\services\542a8dab\
        • description = c2f62ca4
        • displayname = 542a8dab
        • imagepath = c:\windows\system32\66905896.exe -k
        • objectname = localsystem

        • The following registry elements have been changed:

      • HKEY_LOCAL_MACHINE\software\microsoft\pchealth\errorreporting\
        • doreport = 0
        • showui = 0
      • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\
        • reportbootok = 1
      • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\
        • checkedvalue = 0
      • HKEY_LOCAL_MACHINE\system\controlset001\control\servicecurrent\
        • (default) = 9
      • HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_542a8dab\0000\control\
        • activeservice = 542a8dab
      • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\542a8dab\
        • description = c2f62ca4
        • displayname = 542a8dab
        • errorcontrol = 1
        • imagepath = c:\windows\system32\66905896.exe -k
        • objectname = localsystem
        • start = 2
        • type = 16

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Name!itw#198.exe
        McAfee DetectionBackDoor-DKA
        Length17,151 bytes
        CRC32B4853915
        MD570a1b2053067a709ea085d52015d43ed
        SHA1D999A905144C4FAEA96FC2CFCD3D1F0B4FD2FBDD

        Other Common Detection Aliases

        Company NameDetection Name
        AhnLabWin-Trojan/Popwin.17151
        AvastWin32:Trojan-gen {Other}
        AVG (GriSoft)Dropper.Generic.UIR
        AviraWorm/Winko.I.57
        BitDefenderWin32.Worm.Winko.I
        ClamAVPUA.Packed.UPack-2
        Dr.WebTrojan.Popwin
        EMSI SoftwareWorm.Win32.AutoRun.bsz
        eSafe (Alladin)Win32.AutoRun.bsz
        FortiNetW32/AutoRun.BTQ!worm
        F-ProtW32/Worm.NMI (damaged)
        KasperskyWorm.Win32.AutoRun.bsz
        Microsoftbackdoor:win32/popwin.b
        Normanw32/smalldoor.azcz
        PandaW32/Lineage.HBO.worm
        RisingWorm.Win32.Agent.zjk
        SophosMal/Behav-010
        SymantecTrojan Horse
        Trend MicroWORM_AUTORUN.WU
        Vba32Worm.Win32.AutoRun.bsz
        V-BusterWorm.AutoRun.AXR
        Vet (Computer Associates)
        		Win32/Pipown!generic

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Enumerates running Processes
        		Medium
        Enumerates open windows
        		Low
        Writes Executable in the Windows Folder
        		Low
        Program often suspends itself
        		Informational

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\system32\66905896.exe
        		BackDoor-DKA

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\system32\66905896.exe
        • %WINDIR%\system32\c2f62ca4.dll

            • The following registry elements have been created:

          • HKEY_CURRENT_USER\system\currentcontrolset\services\542a8dab\
            • description = c2f62ca4
            • displayname = 542a8dab
            • imagepath = c:\windows\system32\66905896.exe -k
            • objectname = localsystem
          • hkey_users\.default\system\currentcontrolset\services\542a8dab\
            • description = c2f62ca4
            • displayname = 542a8dab
            • imagepath = c:\windows\system32\66905896.exe -k
            • objectname = localsystem

            • The following registry elements have been changed:

          • HKEY_LOCAL_MACHINE\software\microsoft\pchealth\errorreporting\
            • doreport = 0
            • showui = 0
          • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\
            • reportbootok = 1
          • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\
            • checkedvalue = 0
          • HKEY_LOCAL_MACHINE\system\controlset001\control\servicecurrent\
            • (default) = 9
          • HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_542a8dab\0000\control\
            • activeservice = 542a8dab
          • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\542a8dab\
            • description = c2f62ca4
            • displayname = 542a8dab
            • errorcontrol = 1
            • imagepath = c:\windows\system32\66905896.exe -k
            • objectname = localsystem
            • start = 2
            • type = 16

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A