Content

BackDoor-CUX!30D9EA2E

Type
Trojan
SubType
-
Discovery Date
08/05/2008
Length
51200
Minimum DAT
5353 (08/04/2008)
Updated DAT
5353 (08/04/2008)
Minimum Engine
5.2.00
Description Added
08/05/2008
Description Modified
08/05/2008 7:13 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Nametaskmgre2.exe
McAfee DetectionBackDoor-CUX
Length51,200 bytes
CRC3230D9EA2E
MD598ded8e19d40070f1463c650409c5877
SHA1B3830B70AD5FD0F41E7C5661C1BD4C3B0610D213

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)BackDoor.Generic6.GOQ
KasperskyTrojan.Win32.Buzus.pfw
Microsofttrojandropper:win32/malf.gen
Normanw32/dloader.isso
SymantecBackdoor.Trojan

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Writes Executable in the Windows Folder
Low

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\taskmgre.exe
BackDoor-CUX

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\taskmgre.exe
    • %WINDIR%\wscscon.dll

        • The following registry elements have been changed:

      • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\
        • userinit = c:\windows\system32\userinit.exe,,taskmgre.exe

        • The applications created the following network connection(s):

      • coc1.xygong.com:80 port (80) Protocol (http)
        • hxxp://********************

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Nametaskmgre2.exe
        McAfee DetectionBackDoor-CUX
        Length51,200 bytes
        CRC3230D9EA2E
        MD598ded8e19d40070f1463c650409c5877
        SHA1B3830B70AD5FD0F41E7C5661C1BD4C3B0610D213

        Other Common Detection Aliases

        Company NameDetection Name
        AVG (GriSoft)BackDoor.Generic6.GOQ
        KasperskyTrojan.Win32.Buzus.pfw
        Microsofttrojandropper:win32/malf.gen
        Normanw32/dloader.isso
        SymantecBackdoor.Trojan

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Writes Executable in the Windows Folder
        		Low

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\taskmgre.exe
        		BackDoor-CUX

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\taskmgre.exe
        • %WINDIR%\wscscon.dll

            • The following registry elements have been changed:

          • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\
            • userinit = c:\windows\system32\userinit.exe,,taskmgre.exe

            • The applications created the following network connection(s):

          • coc1.xygong.com:80 port (80) Protocol (http)
            • hxxp://********************

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A