McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Litmus (AVP/KAV, AVG)

• Backdoor.Trojan (Symantec)

• BKDR_LITMUS (Trend)

• IRC Trojan (Symantec)

• security risk or a "backdoor" program (F-Prot)

• W32/Litmus (Norman, Eset, Vet)

Characteristics

Many different versions of this backdoor trojan are detected as BackDoor-JZ. The following description is fairly general, although port numbers, exact filenames and Registry key names typically vary between versions.

This, UPX packed, trojan opens TCP/IP port 30005 on a victim's machine. An attacker can then open, execute and delete files on the user's local system. They can also shutdown windows, and send out pings.

The trojan also copies itself to the Windows directory as traywnd.exe and adds the following Registry key value to allow the program to load at startup:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
  \Run "Taskschd" = %WINDIR%\traywnd

Other versions of this trojan copy themselves to a directory named 'Litmus' in the Windows directory (with varying filenames), hooking the Registry in a similar manner to above.

The source of this backdoor program is available among the hackers and there are many variants available (so some variants are frequently detected by other AV programs under different names).

Symptoms

• TCP/IP port 30005 left open
• Presence of files and registry entry as previously mentioned.

Method of Infection

This trojan can connect to an Internet Relay Chat server and accept commands over IRC channels remotely.

Removal

Use current engine and DAT files for detection and removal. AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Litmus (AVP/KAV, AVG)

• Backdoor.Trojan (Symantec)

• BKDR_LITMUS (Trend)

• IRC Trojan (Symantec)

• security risk or a "backdoor" program (F-Prot)

• W32/Litmus (Norman, Eset, Vet)

Characteristics

Characteristics -

Many different versions of this backdoor trojan are detected as BackDoor-JZ. The following description is fairly general, although port numbers, exact filenames and Registry key names typically vary between versions.

This, UPX packed, trojan opens TCP/IP port 30005 on a victim's machine. An attacker can then open, execute and delete files on the user's local system. They can also shutdown windows, and send out pings.

The trojan also copies itself to the Windows directory as traywnd.exe and adds the following Registry key value to allow the program to load at startup:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
  \Run "Taskschd" = %WINDIR%\traywnd

Other versions of this trojan copy themselves to a directory named 'Litmus' in the Windows directory (with varying filenames), hooking the Registry in a similar manner to above.

The source of this backdoor program is available among the hackers and there are many variants available (so some variants are frequently detected by other AV programs under different names).

Symptoms

Symptoms -

• TCP/IP port 30005 left open
• Presence of files and registry entry as previously mentioned.

Method of Infection

Method of Infection -

This trojan can connect to an Internet Relay Chat server and accept commands over IRC channels remotely.

Removal -

Removal -

Use current engine and DAT files for detection and removal. AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants -

N/A