Content

BackDoor-DTN

Type
Trojan
SubType
Remote Access
Discovery Date
01/15/2009
Length
varies
Minimum DAT
5496 (01/15/2009)
Updated DAT
5548 (03/09/2009)
Minimum Engine
5.2.00
Description Added
01/15/2009
Description Modified
03/06/2009 8:02 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 6, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=215800583&cid=RSSfeed
--

Upon execution, it drops the following files:

  • %Temp%\[random numbers] - copy of itself
  • %Temp%\[random numbers].exe - detected as BackDoor-DTN
  • %Windir%\system32\drivers\[random characters].sys - rootkit component detected as BackDoor-DTN!sys

Note:
%Windir% is windows directory usually C:\Windows
%Temp% is Windows Temp folder usually C:\Documents and Settings\[USERNAME]\Local Settings\Temp

It registers the rootkit component as:
HKLM\SYSTEM\CurrentControlSet\Services\[random characters].sys
ImagePath = \??\%Windir%\system32\drivers\[random characters].sys

It adds the following registry allowing the rootkit to execute even at SafeMode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random characters].sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random characters].sys

It adds another autostart entry for one of the dropped file pertaining to deletion of TDSS related Malware
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
tdss = %Temp%\[random numbers].exe

It creates the following mutex:

  • ___b0th____

This backdoor checks if the current users has Administrator previledges. If the user has no Admin right, this backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges.

It connects to the following sites:

  • hxxp://update-product[blocked].net
  • hxxp://updb-update[blocked].com

Once running, the hacker is able to perform various tasks, including:

  • retrieve confidential information
  • steal account information from different applications
  • takes snapshot of the system
  • send and/or upload stolen information
  • uninstall application and other malware
  • download and executes other malware locally
  • terminate processes
  • keylogging
  • update itself

Note:

Confidential Information includes the following:

  • system information such as OS installed, useranme, and other global information
  • network information such as netstats, netusers, ip addresses
  • installed applications
  • visited websites and cookies

Application includes

  • Outlook Express, SMTP, POP3, and IMAP
  • FlashFXP, RimArts, WinProxy, WinAppsPlanet
  • WindowsLive,WebDrive, America Online
  • Google Talk, Google Desktop, Poppy for Windows

This also removes other backdoor and other trojans installed in the system.

It terminates processes and deletes files that contains the following strings:

  • Penis32.exe
  • teekids.exe
  • Microsoft Inet Xp
  • MSBLAST.exe
  • windows auto update
  • mscvb32.exe
  • System MScvb
  • sysinfo.exe
  • PandaAVEngine       
  • taskmon

This backdoor also delete autorun registry if the above files has registry referenced in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This backdoor also deletes the following files if found at Windows System directory:

  • vcutil.dll
  • hlfkt.dll
  • phfkt.dll
  • rdshost2.dll
  • rdssrv2.exe
  • dofckt.dll
  • hdfkt.dll
  • rdshost.dll
  • rdssrv.exe

This backdoor also deletes other malware entries in the following registry:

  • HKLM\System\CurrentControlSet\Control\SafeBoot\Network   
  • HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal   
  • HKLM\System\CurrentControlSet\Services
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Most of the registry, files and processes it targets to remove are related to the following:

  • Agent
  • Adware/Spyware
  • Banker
  • Downloader
  • Zlob
  • Fakealert Trojan such as WinAntiSpyware, Antivirus 2009/2010
  • Other backdoor
  • Other BHO Trojan

This backdoor disables AVG, Avira, CA, Outpost, Kaspersky, and Windows Defender security products and also disables Windows Firewall by sending malformed messages to its windows.

This backdoor tries to identify possible malicious SYS files found in %Windir%\system32\drivers folder and attempts to delete it. Doing so may also delete normal SYS files.

Symptoms

  • Presence of files and registry entries mentioned.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for backdoor trojan that has rootkit capabilities. This backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges. This backdoor has also password-stealing capabilities and can log keystrokes of the system.

This backdoor removes other backdoor and other trojans installed in the system.

This also disable security related products.

 

Characteristics

Characteristics -

-- Update March 6, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=215800583&cid=RSSfeed
--

Upon execution, it drops the following files:

  • %Temp%\[random numbers] - copy of itself
  • %Temp%\[random numbers].exe - detected as BackDoor-DTN
  • %Windir%\system32\drivers\[random characters].sys - rootkit component detected as BackDoor-DTN!sys

Note:
%Windir% is windows directory usually C:\Windows
%Temp% is Windows Temp folder usually C:\Documents and Settings\[USERNAME]\Local Settings\Temp

It registers the rootkit component as:
HKLM\SYSTEM\CurrentControlSet\Services\[random characters].sys
ImagePath = \??\%Windir%\system32\drivers\[random characters].sys

It adds the following registry allowing the rootkit to execute even at SafeMode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random characters].sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random characters].sys

It adds another autostart entry for one of the dropped file pertaining to deletion of TDSS related Malware
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
tdss = %Temp%\[random numbers].exe

It creates the following mutex:

  • ___b0th____

This backdoor checks if the current users has Administrator previledges. If the user has no Admin right, this backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges.

It connects to the following sites:

  • hxxp://update-product[blocked].net
  • hxxp://updb-update[blocked].com

Once running, the hacker is able to perform various tasks, including:

  • retrieve confidential information
  • steal account information from different applications
  • takes snapshot of the system
  • send and/or upload stolen information
  • uninstall application and other malware
  • download and executes other malware locally
  • terminate processes
  • keylogging
  • update itself

Note:

Confidential Information includes the following:

  • system information such as OS installed, useranme, and other global information
  • network information such as netstats, netusers, ip addresses
  • installed applications
  • visited websites and cookies

Application includes

  • Outlook Express, SMTP, POP3, and IMAP
  • FlashFXP, RimArts, WinProxy, WinAppsPlanet
  • WindowsLive,WebDrive, America Online
  • Google Talk, Google Desktop, Poppy for Windows

This also removes other backdoor and other trojans installed in the system.

It terminates processes and deletes files that contains the following strings:

  • Penis32.exe
  • teekids.exe
  • Microsoft Inet Xp
  • MSBLAST.exe
  • windows auto update
  • mscvb32.exe
  • System MScvb
  • sysinfo.exe
  • PandaAVEngine       
  • taskmon

This backdoor also delete autorun registry if the above files has registry referenced in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This backdoor also deletes the following files if found at Windows System directory:

  • vcutil.dll
  • hlfkt.dll
  • phfkt.dll
  • rdshost2.dll
  • rdssrv2.exe
  • dofckt.dll
  • hdfkt.dll
  • rdshost.dll
  • rdssrv.exe

This backdoor also deletes other malware entries in the following registry:

  • HKLM\System\CurrentControlSet\Control\SafeBoot\Network   
  • HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal   
  • HKLM\System\CurrentControlSet\Services
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Most of the registry, files and processes it targets to remove are related to the following:

  • Agent
  • Adware/Spyware
  • Banker
  • Downloader
  • Zlob
  • Fakealert Trojan such as WinAntiSpyware, Antivirus 2009/2010
  • Other backdoor
  • Other BHO Trojan

This backdoor disables AVG, Avira, CA, Outpost, Kaspersky, and Windows Defender security products and also disables Windows Firewall by sending malformed messages to its windows.

This backdoor tries to identify possible malicious SYS files found in %Windir%\system32\drivers folder and attempts to delete it. Doing so may also delete normal SYS files.

Symptoms

Symptoms -

  • Presence of files and registry entries mentioned.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A