McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-ABN

• Backdoor.IRC.Acebo (AVP)

• BKDR_FLY (Trend)

• Win32.Acebot (CA Vet)

• Worm.Newbiero (AVP)

Characteristics

Update May 29, 2002:
This was renamed from BackDoor-ABN to W32/AceBot.worm in the 4205 DATs to indicate that it can spread over open shares.

NB: The first variant of this Trojan is detected with the 4190 DATs. Detection of a later variant requires the 4196 DATs.

When the server component of this Remote Access Trojan (dubbed 'AceBot' by its author) is executed on the victim machine, the Trojan copies itself to the Windows System directory as a randomly named executable, deleting the original file. For example:

   C:\WINDOWS\SYSTEM\TJSTBU.EXE   (163,840 bytes)

In testing the Trojan was observed to disable the personal firewall in use. Strings within the Trojan suggest that the following personal firewalls will be bypassed:

• Sygate Personal Firewall
• Tiny Personal Firewall
• ZoneAlarm Pro
• ZoneAlarm

The Trojan sets the following Registry key to ensure it is executed at subsequent system startups (adjust the filename as necessary):

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
   \Run "Microsoft Diagnostic" = C:\WINDOWS\SYSTEM\TJSTBU.EXE

Once running, the Trojan attempts to connect to an IRC server, in order to join a channel and listen for remote commands. Strings within the server suggest a variety of functions may be performed remotely. These include the following:

• Shutdown server (self kill)
• Issue channel message
• Sleep
• Update server
• Run file
• Download files
• Send packets
• Logoff machine
• Shutdown machine

NB: Due to the wide variety of functions offered by this Remote Access Trojan, the payload danger is highly variable. Also, since this Trojan appears to be able to update itself, other functions may also be possible.

Code within the server suggests that it is able to spread between machines via the local network using shared drives. If successful, the worm attempts to copy itself to the following location (directory is hardcoded) on the remote machine:

\WINDOWS\Start Menu\Programs\Startup\MSSG.EXE

Network propagation was not observed during testing, suggesting that this infection method is triggered by a remote command. In order to prevent reinfection, you must not share your boot drive over the Internet. AVERT has not heard of any infections as a result of anything besides open shares.

Symptoms

• The existence of a oddly named .EXE file of length 163,840 bytes in the Windows system directory.
• Disabled personal firewall

Method of Infection

The Trojan infects a machine upon its initial execution. Thereafter, it is executed at system startup thanks to a Registry hook.

Removal

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-ABN

• Backdoor.IRC.Acebo (AVP)

• BKDR_FLY (Trend)

• Win32.Acebot (CA Vet)

• Worm.Newbiero (AVP)

Characteristics

Characteristics -

Update May 29, 2002:
This was renamed from BackDoor-ABN to W32/AceBot.worm in the 4205 DATs to indicate that it can spread over open shares.

NB: The first variant of this Trojan is detected with the 4190 DATs. Detection of a later variant requires the 4196 DATs.

When the server component of this Remote Access Trojan (dubbed 'AceBot' by its author) is executed on the victim machine, the Trojan copies itself to the Windows System directory as a randomly named executable, deleting the original file. For example:

   C:\WINDOWS\SYSTEM\TJSTBU.EXE   (163,840 bytes)

In testing the Trojan was observed to disable the personal firewall in use. Strings within the Trojan suggest that the following personal firewalls will be bypassed:

• Sygate Personal Firewall
• Tiny Personal Firewall
• ZoneAlarm Pro
• ZoneAlarm

The Trojan sets the following Registry key to ensure it is executed at subsequent system startups (adjust the filename as necessary):

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
   \Run "Microsoft Diagnostic" = C:\WINDOWS\SYSTEM\TJSTBU.EXE

Once running, the Trojan attempts to connect to an IRC server, in order to join a channel and listen for remote commands. Strings within the server suggest a variety of functions may be performed remotely. These include the following:

• Shutdown server (self kill)
• Issue channel message
• Sleep
• Update server
• Run file
• Download files
• Send packets
• Logoff machine
• Shutdown machine

NB: Due to the wide variety of functions offered by this Remote Access Trojan, the payload danger is highly variable. Also, since this Trojan appears to be able to update itself, other functions may also be possible.

Code within the server suggests that it is able to spread between machines via the local network using shared drives. If successful, the worm attempts to copy itself to the following location (directory is hardcoded) on the remote machine:

\WINDOWS\Start Menu\Programs\Startup\MSSG.EXE

Network propagation was not observed during testing, suggesting that this infection method is triggered by a remote command. In order to prevent reinfection, you must not share your boot drive over the Internet. AVERT has not heard of any infections as a result of anything besides open shares.

Symptoms

Symptoms -

• The existence of a oddly named .EXE file of length 163,840 bytes in the Windows system directory.
• Disabled personal firewall

Method of Infection

Method of Infection -

The Trojan infects a machine upon its initial execution. Thereafter, it is executed at system startup thanks to a Registry hook.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A