Content

BackDoor-DSG.dldr

Type
Trojan
SubType
Downloader
Discovery Date
12/24/2008
Length
Varies
Minimum DAT
5474 (12/24/2008)
Updated DAT
5537 (02/26/2009)
Minimum Engine
5.1.00
Description Added
12/24/2008
Description Modified
12/24/2008 7:32 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

BackDoor-DSG.dldr is currently being spammed and arrives as a zipped email attachment.


Upon execution, the trojan downloads a file from the remote site:

  • http://217.13.[removed]/img/media/update/irs_efill.php

The downloaded files are copied to the following locations:

  •  %WinDir%\inf\svchost.exe (BackDoor-DSG trojan)
  •  %WinDir%\inf\svchost\csrss.exe (BackDoor-DSG trojan)
  •  %WinDir%\inf\3dfxlss2k2.PNF (6 bytes)

The following registry keys are modified:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc2
     "Description" = Provides image acquisition services for scanners and cameras.
     "DisplayName" =  Windows Image Acquisition (WIA2)
     "ErrorControl" = 1
     "FailureActions" = (binary data)
     "ImagePath" = %WinDir%\inf\svchost.exe
     "ObjectName" = LocalSystem
     "Start" = 2
     "Type" = 0x110
     "Security" = (binary data)
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stisvc2
     "Description" = Provides image acquisition services for scanners and cameras.
     "DisplayName" =  Windows Image Acquisition (WIA2)
     "ErrorControl" = 1
     "FailureActions" = (binary data)
     "ImagePath" = %WinDir%\inf\svchost.exe
     "ObjectName" = LocalSystem
     "Start" = 2
     "Type" = 0x110
     "Security" = (binary data)
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List  "%WinDir%\inf\svchost.exe" = %WinDir%\inf\svchost.exe:*:Enabled:svchost
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
     "%WinDir%\inf\svchost.exe" = %WinDir%\inf\svchost.exe:*:Enabled:svchost

Then it downloads a innocent pdf file from a legitimate site and copies to the following location.

  • c:\work_related.pdf

The file is opened with Internet Explore and a PDF browser.

Symptoms

  • Presence of the aforementioned files and registry values.
  • Http connections to aforementioned site

Method of Infection

BackDoor-DSG.dldr is currently being spammed and arrives as a zipped email attachment.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The trojan BackDoor-DSG.dldr is delivered via a spammed email message. This is designed to download BackDoor-DSG trojan from a remote site.

Characteristics

Characteristics -

BackDoor-DSG.dldr is currently being spammed and arrives as a zipped email attachment.


Upon execution, the trojan downloads a file from the remote site:

  • http://217.13.[removed]/img/media/update/irs_efill.php

The downloaded files are copied to the following locations:

  •  %WinDir%\inf\svchost.exe (BackDoor-DSG trojan)
  •  %WinDir%\inf\svchost\csrss.exe (BackDoor-DSG trojan)
  •  %WinDir%\inf\3dfxlss2k2.PNF (6 bytes)

The following registry keys are modified:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc2
     "Description" = Provides image acquisition services for scanners and cameras.
     "DisplayName" =  Windows Image Acquisition (WIA2)
     "ErrorControl" = 1
     "FailureActions" = (binary data)
     "ImagePath" = %WinDir%\inf\svchost.exe
     "ObjectName" = LocalSystem
     "Start" = 2
     "Type" = 0x110
     "Security" = (binary data)
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stisvc2
     "Description" = Provides image acquisition services for scanners and cameras.
     "DisplayName" =  Windows Image Acquisition (WIA2)
     "ErrorControl" = 1
     "FailureActions" = (binary data)
     "ImagePath" = %WinDir%\inf\svchost.exe
     "ObjectName" = LocalSystem
     "Start" = 2
     "Type" = 0x110
     "Security" = (binary data)
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List  "%WinDir%\inf\svchost.exe" = %WinDir%\inf\svchost.exe:*:Enabled:svchost
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
     "%WinDir%\inf\svchost.exe" = %WinDir%\inf\svchost.exe:*:Enabled:svchost

Then it downloads a innocent pdf file from a legitimate site and copies to the following location.

  • c:\work_related.pdf

The file is opened with Internet Explore and a PDF browser.

Symptoms

Symptoms -

  • Presence of the aforementioned files and registry values.
  • Http connections to aforementioned site

Method of Infection

Method of Infection -

BackDoor-DSG.dldr is currently being spammed and arrives as a zipped email attachment.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A