McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AAF

• Backdoor/Win32.Myparty (GeCAD)

• I-Worm.Myparty (KAV)

• W32/MyParty.A@mm (Norman)

• Win32/Myparty (Computer Associates)

Characteristics

A variety of different samples are detected as BackDoor-FB.svr.gen. The trojans in this family are designed to connect to the authors/distributors website to download various files. Typically these files are other trojans or viruses. Below is a description of a specific BackDoor-FB.svr.gen variant, that dropped by W32/Myparty@MM.

When the W32/Myparty@MM virus executable is executed on Windows NT machines, (Windows NT, 2000 or XP) a variant of this backdoor is dropped to the startup folder within the profile of the current user, MSSTASK.EXE:

%userprofile%\Start Menu\Programs\Startup\msstask.exe

This ensures the backdoor is executed upon system startup, at which point it goes memory resident, and the machine is rendered vulnerable.

NB: W32/Myparty@MM only massmails itself and drops the backdoor component if the system date is within the following range:

Outside of this date range, no backdoor component is dropped.

MSSTASK.EXE is compressed with UPX, and is 6,144 bytes in length (unpacked the file is 152,064 bytes).

Once running, the backdoor tries to connect to the following IP address:

http://209.151.250.170/

in order to download the command file that operates the backdoor.

A second W32/Myparty@MM variant which only operates between 20th-24th January 2002 (hence will not replicate on machines with correctly set date now) drops an identical backdoor component to that described above. The only difference is the date range in which the backdoor is dropped.

Symptoms

• Presence of the file MSSTASK.EXE (6,144 bytes) in the startup folder within a user's profile.
• Network traffic to the following IP address: 209.151.250.170. This is where the backdoor command file resides.

Method of Infection

This backdoor is dropped into the Startup folder within a user's profile when the W32/Myparty@MM virus is executed upon an NT (NT/2000/XP) machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor-AAF

• Backdoor/Win32.Myparty (GeCAD)

• I-Worm.Myparty (KAV)

• W32/MyParty.A@mm (Norman)

• Win32/Myparty (Computer Associates)

Characteristics

Characteristics -

A variety of different samples are detected as BackDoor-FB.svr.gen. The trojans in this family are designed to connect to the authors/distributors website to download various files. Typically these files are other trojans or viruses. Below is a description of a specific BackDoor-FB.svr.gen variant, that dropped by W32/Myparty@MM.

When the W32/Myparty@MM virus executable is executed on Windows NT machines, (Windows NT, 2000 or XP) a variant of this backdoor is dropped to the startup folder within the profile of the current user, MSSTASK.EXE:

%userprofile%\Start Menu\Programs\Startup\msstask.exe

This ensures the backdoor is executed upon system startup, at which point it goes memory resident, and the machine is rendered vulnerable.

NB: W32/Myparty@MM only massmails itself and drops the backdoor component if the system date is within the following range:

Outside of this date range, no backdoor component is dropped.

MSSTASK.EXE is compressed with UPX, and is 6,144 bytes in length (unpacked the file is 152,064 bytes).

Once running, the backdoor tries to connect to the following IP address:

http://209.151.250.170/

in order to download the command file that operates the backdoor.

A second W32/Myparty@MM variant which only operates between 20th-24th January 2002 (hence will not replicate on machines with correctly set date now) drops an identical backdoor component to that described above. The only difference is the date range in which the backdoor is dropped.

Symptoms

Symptoms -

• Presence of the file MSSTASK.EXE (6,144 bytes) in the startup folder within a user's profile.
• Network traffic to the following IP address: 209.151.250.170. This is where the backdoor command file resides.

Method of Infection

Method of Infection -

This backdoor is dropped into the Startup folder within a user's profile when the W32/Myparty@MM virus is executed upon an NT (NT/2000/XP) machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A