McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor-QT.cfg

• Backdoor-QT.cli

• Backdoor-QT.svr

• BackDoor.Muska (AVP)

• MuSka52

Characteristics

This is a remote access trojan written in Visual Basic 5. When run, it copies itself to the WINDOWS SYSTEM directory as UT3.EXE and creates a WIN.INI entry to load the program at startup:

A registry value is also created to load the trojan at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Resolution=C:\WINDOWS\system\UT3.EXE

The trojan opens TCP/IP ports 52, 53, and 54 on the victims machine and sends the victim's IP address to a configured ICQ user. Once infected, the attacker can intercepts AOL Instant Messages, send messages, and upload files to the victim.

Symptoms

Presence of the file UT3.EXE in the WINDOWS SYSTEM directory.

Method of Infection

When the trojan is executed, the file is copied to the SYSTEM directory and is configured to load at startup. TCP/IP ports are left opened, making the local system vulnerable to an attack by a remote user.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

• Restart the computer in MS-DOS mode
• Delete the files mentioned
• Restart Windows
• Delete the registry keys as mentioned

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor-QT.cfg

• Backdoor-QT.cli

• Backdoor-QT.svr

• BackDoor.Muska (AVP)

• MuSka52

Characteristics

Characteristics -

This is a remote access trojan written in Visual Basic 5. When run, it copies itself to the WINDOWS SYSTEM directory as UT3.EXE and creates a WIN.INI entry to load the program at startup:

A registry value is also created to load the trojan at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Resolution=C:\WINDOWS\system\UT3.EXE

The trojan opens TCP/IP ports 52, 53, and 54 on the victims machine and sends the victim's IP address to a configured ICQ user. Once infected, the attacker can intercepts AOL Instant Messages, send messages, and upload files to the victim.

Symptoms

Symptoms -

Presence of the file UT3.EXE in the WINDOWS SYSTEM directory.

Method of Infection

Method of Infection -

When the trojan is executed, the file is copied to the SYSTEM directory and is configured to load at startup. TCP/IP ports are left opened, making the local system vulnerable to an attack by a remote user.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

• Restart the computer in MS-DOS mode
• Delete the files mentioned
• Restart Windows
• Delete the registry keys as mentioned

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A