Content
BackDoor-DRZ
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 08/20/2008
- Length
- Varies
- Minimum DAT
- 5365 (08/20/2008)
- Updated DAT
- 5368 (08/22/2008)
- Minimum Engine
- 5.2.00
- Description Added
- 08/20/2008
- Description Modified
- 08/20/2008 3:22 PM (PT)
Tab Navigation
Characteristics
There are several versions existed. This is a general description. Newer versions require the latest DATs for detection and cleaning.
Upon execution, the trojan drops itself to the following file.
- %Windr%\winnet.dll
The trojan modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LengFeng
"Asynchronous" =1
"DllName" = %WINDIR%\winnet.dll
"Impersonate" = 0
"Shutdown" = LFShutdown
"Startup" = LFStartup
This trojan spawns an "iexplore.exe" and injects the dll into the process.
The backdoor connects to the following site and waits for commands.
- skytwo43.[removed].org: 443
The backdoor has the following functions:
- gather system information
- create/terminate/list processes
- list files/directories
- download/upload files
- provide a remote command prompt (cmd.exe)
Symptoms
- existence of mentioned file and registry keys
- connections to the mentioned remote hosts
Method of Infection
This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
BackDoor-DRZ trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine.
Characteristics
Characteristics -
There are several versions existed. This is a general description. Newer versions require the latest DATs for detection and cleaning.
Upon execution, the trojan drops itself to the following file.
- %Windr%\winnet.dll
The trojan modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LengFeng
"Asynchronous" =1
"DllName" = %WINDIR%\winnet.dll
"Impersonate" = 0
"Shutdown" = LFShutdown
"Startup" = LFStartup
This trojan spawns an "iexplore.exe" and injects the dll into the process.
The backdoor connects to the following site and waits for commands.
- skytwo43.[removed].org: 443
The backdoor has the following functions:
- gather system information
- create/terminate/list processes
- list files/directories
- download/upload files
- provide a remote command prompt (cmd.exe)
Symptoms
Symptoms -
- existence of mentioned file and registry keys
- connections to the mentioned remote hosts
Method of Infection
Method of Infection -
This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
