McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Egghead (NAV)

Characteristics

This trojan is built around a freeware Internet Relay Chat BOT, uses a combination of system utilities, configuration files, .REG files, and .BAT files, and is designed for Win2K\XP. The installer component is a downloader batch file. When the batch file is run, the trojan opens the local system for remote access. Two files, SS.RAR and UNRAR.EXE are downloaded. UNRAR.EXE is then used to unpack SS.RAR. Therefore, the author may make changes to this RAR file regularly and symptoms may vary from infection to infection. AVERT has received 1 field sample of this threat and the server specified, to download these files, is no longer functioning.

The RAR file is extracted to the %SystemRoot%\inf\ss directory and another batch file is run. The second batch file creates the directory %systemroot%\system32\svchost, and copies SERVICES.EXE (Firedaemon application non-trojan) and PSKILL.EXE (PSKill application non-trojan) to that directory. A service named EVENTS is created which starts the IRC BOT. SERVICES.EXE, TCPSVCS.EXE, and GOOD_CLIENT.EXE (BackDoor-EX) are moved to the %SystemRoot%. Four .REG files are imported into the registry on Win2K/XP which set the following values, which should be removed:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr
  "DependOnService" = "RpcSs.TcpI"
  "Description" = "Allows a remote user to log on to the system and run console programs using the command line."
  "DisplayName" = "Telnet"
  "ErrorControl" = dword:00000001
  "ImagePath" = "%SystemRoot%\system32\tlntsvr.exe"
  "ObjectName" = "LocalSystem"
  "Start" = dword:00000003
  "Type" = dword:00000010

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Enum
  "0" = "Root\LEGACY_TLNTSVR\0000"
  "Count" = dword:00000001
  "NextInstance" = dword:00000001

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0
  "AllowTrustedDomain" = dword:00000001
  "DefaultDomain" = "."
  "DefaultShell" = %SystemRoot%\system32\cmd.exe /q /k
  "LoginScript" = %SystemRoot%\system32\login.cmd
  "MaxConnections" = dword:0000003f
  "MaxFailedLogins" = dword:00000003
  "NTLM" = dword:00000000
  "TelnetPort" = dword:00001a8e
  "AltKeyMapping" = dword:00000001
  "Termcap" = "%SystemRoot%\system32\termcap"

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\Performance
  "NumThreadsPerProcessor" = dword:00000002

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
  "AutoShareServer" = dword:00000000
  "AutoShareWks" = dword:00000000

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry
  "Start" = dword:00000003
  "Type" = dword:00000020

Symptoms

Files assocaited with this threat include:

• 254.com
• 254.dll
• 254.reg
• 254r.exe
• 1.reg
• 3.reg
• 5.reg
• 7.reg
• b.bat
• fire.bat
• s.bat
• v.bat
• ClearEL.exe (non-trojan)
• good_client.exe
• inetinfo.exe (non-trojan)
• kill.exe (non-trojan)
• Pskill.exe (non-trojan)
• services.exe (non-trojan)
• tcpsvcs.exe
• unrar.exe (non-trojan)
• uptime.exe (non-trojan)

Method of Infection

This trojan may arrive as a .BAT file. The batch file downloads the main trojan components over the Internet.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Egghead (NAV)

Characteristics

Characteristics -

This trojan is built around a freeware Internet Relay Chat BOT, uses a combination of system utilities, configuration files, .REG files, and .BAT files, and is designed for Win2K\XP. The installer component is a downloader batch file. When the batch file is run, the trojan opens the local system for remote access. Two files, SS.RAR and UNRAR.EXE are downloaded. UNRAR.EXE is then used to unpack SS.RAR. Therefore, the author may make changes to this RAR file regularly and symptoms may vary from infection to infection. AVERT has received 1 field sample of this threat and the server specified, to download these files, is no longer functioning.

The RAR file is extracted to the %SystemRoot%\inf\ss directory and another batch file is run. The second batch file creates the directory %systemroot%\system32\svchost, and copies SERVICES.EXE (Firedaemon application non-trojan) and PSKILL.EXE (PSKill application non-trojan) to that directory. A service named EVENTS is created which starts the IRC BOT. SERVICES.EXE, TCPSVCS.EXE, and GOOD_CLIENT.EXE (BackDoor-EX) are moved to the %SystemRoot%. Four .REG files are imported into the registry on Win2K/XP which set the following values, which should be removed:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr
  "DependOnService" = "RpcSs.TcpI"
  "Description" = "Allows a remote user to log on to the system and run console programs using the command line."
  "DisplayName" = "Telnet"
  "ErrorControl" = dword:00000001
  "ImagePath" = "%SystemRoot%\system32\tlntsvr.exe"
  "ObjectName" = "LocalSystem"
  "Start" = dword:00000003
  "Type" = dword:00000010

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Enum
  "0" = "Root\LEGACY_TLNTSVR\0000"
  "Count" = dword:00000001
  "NextInstance" = dword:00000001

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0
  "AllowTrustedDomain" = dword:00000001
  "DefaultDomain" = "."
  "DefaultShell" = %SystemRoot%\system32\cmd.exe /q /k
  "LoginScript" = %SystemRoot%\system32\login.cmd
  "MaxConnections" = dword:0000003f
  "MaxFailedLogins" = dword:00000003
  "NTLM" = dword:00000000
  "TelnetPort" = dword:00001a8e
  "AltKeyMapping" = dword:00000001
  "Termcap" = "%SystemRoot%\system32\termcap"

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\Performance
  "NumThreadsPerProcessor" = dword:00000002

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
  "AutoShareServer" = dword:00000000
  "AutoShareWks" = dword:00000000

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry
  "Start" = dword:00000003
  "Type" = dword:00000020

Symptoms

Symptoms -

Files assocaited with this threat include:

• 254.com
• 254.dll
• 254.reg
• 254r.exe
• 1.reg
• 3.reg
• 5.reg
• 7.reg
• b.bat
• fire.bat
• s.bat
• v.bat
• ClearEL.exe (non-trojan)
• good_client.exe
• inetinfo.exe (non-trojan)
• kill.exe (non-trojan)
• Pskill.exe (non-trojan)
• services.exe (non-trojan)
• tcpsvcs.exe
• unrar.exe (non-trojan)
• uptime.exe (non-trojan)

Method of Infection

Method of Infection -

This trojan may arrive as a .BAT file. The batch file downloads the main trojan components over the Internet.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A