Content

BackDoor-ALT

Type
Trojan
SubType
Remote Access
Discovery Date
10/16/2002
Length
Varies
Minimum DAT
4230 (10/23/2002)
Updated DAT
4711 (03/06/2006)
Minimum Engine
5.1.00
Description Added
10/17/2002
Description Modified
10/24/2002 12:05 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a remote access trojan, which was installed upon visiting a website. The backdoor allows a remote attacker to perform various functions such as run programs, display alert messages, send email, update trojan, sleep, etc. The website in question was shutdown shortly after the trojan was discovered. Upon visiting an infectious website, a page is loaded that exploits the "Microsoft VM ActiveX Component" Vulnerability . Several files are written to the COOKIES folder and run:

a.com Used to create netd.exe
netd.exe Supports backdoor Internet connectivity
zshell.js Main backdoor component; passes information to netd.exe; carries the main functions of the trojan
i.js Input commands sent to netd.exe to pass along to the website
o.js Commands received from netd.exe for the backdoor to carry out
install.php Installs the main backdoor component zshell.js creating the registry entry below:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Time Zone Synchronization" = wscript "C:\WINDOWS\Cookies\\zshell.js"

Symptoms

Presence of the aforementioned files

Method of Infection

This trojan gets installed when visiting an infectious webpage using a vulnerable versions of Microsoft Internet Explorer.

Modified scripts were later discovered on infectious web pages.  These scripts alter the default stationary for Outlook Express, causing each new email message created in Outlook Express to contain an IFRAME tag, which loads infectious HTML from a remote site.  Such infectious email messages are detected as JS/Netdex@M.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Backdoor.Netdex (AVP)
  • BKDR_NETDEX.A (Trend)
  • JS_NETDEX.A (Trend)
  • Troj/Netdex-A (Sophos)

Characteristics

Characteristics -

This is a remote access trojan, which was installed upon visiting a website. The backdoor allows a remote attacker to perform various functions such as run programs, display alert messages, send email, update trojan, sleep, etc. The website in question was shutdown shortly after the trojan was discovered. Upon visiting an infectious website, a page is loaded that exploits the "Microsoft VM ActiveX Component" Vulnerability . Several files are written to the COOKIES folder and run:

a.com Used to create netd.exe
netd.exe Supports backdoor Internet connectivity
zshell.js Main backdoor component; passes information to netd.exe; carries the main functions of the trojan
i.js Input commands sent to netd.exe to pass along to the website
o.js Commands received from netd.exe for the backdoor to carry out
install.php Installs the main backdoor component zshell.js creating the registry entry below:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Time Zone Synchronization" = wscript "C:\WINDOWS\Cookies\\zshell.js"

Symptoms

Symptoms -

Presence of the aforementioned files

Method of Infection

Method of Infection -

This trojan gets installed when visiting an infectious webpage using a vulnerable versions of Microsoft Internet Explorer.

Modified scripts were later discovered on infectious web pages.  These scripts alter the default stationary for Outlook Express, causing each new email message created in Outlook Express to contain an IFRAME tag, which loads infectious HTML from a remote site.  Such infectious email messages are detected as JS/Netdex@M.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A