Content
BackDoor-AMH
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 11/05/2002
- Length
- 325,209 bytes
- Minimum DAT
- 4233 (11/13/2002)
- Updated DAT
- 4296 (10/01/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 11/06/2002
- Description Modified
- 11/22/2002 5:26 AM (PT)
Tab Navigation
Characteristics
This remote access server allows an attacker to perform various tasks on the infected system. When the trojan is run, it copies itself to the WINDOWS SYSTEM (%SysDir%) folder as SysMap.exe and creates a registry run key to load itself at system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Microsoft® System Mapper"=C:\WINDOWS\SYSTEM\SysMap.exe
The trojan listens on TCP port 6754, for a remote attacker to send various commands. Those commands can perform the following tasks on the compromised system:
- Open/close CD-ROM door
- start an IRC bot
- run an FTP server (allows file uploads, downloads, renames, deletion, etc.)
- Retrieve system information (Computer name, CPU, Username, Windows version, Drive space, etc)
- Run, terminate, list processes
- Edit registry
- Send messages
- Swap mouse buttons
- Set wallpaper
- View typed keystrokes
Symptoms
Presence of the file SysMap.exe in the WINDOWS SYSTEM folder and TCP port 6754 open.
Method of Infection
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Backdoor.IRC.Mapsy (AVP)
Characteristics
Characteristics -
This remote access server allows an attacker to perform various tasks on the infected system. When the trojan is run, it copies itself to the WINDOWS SYSTEM (%SysDir%) folder as SysMap.exe and creates a registry run key to load itself at system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Microsoft® System Mapper"=C:\WINDOWS\SYSTEM\SysMap.exe
The trojan listens on TCP port 6754, for a remote attacker to send various commands. Those commands can perform the following tasks on the compromised system:
- Open/close CD-ROM door
- start an IRC bot
- run an FTP server (allows file uploads, downloads, renames, deletion, etc.)
- Retrieve system information (Computer name, CPU, Username, Windows version, Drive space, etc)
- Run, terminate, list processes
- Edit registry
- Send messages
- Swap mouse buttons
- Set wallpaper
- View typed keystrokes
Symptoms
Symptoms -
Presence of the file SysMap.exe in the WINDOWS SYSTEM folder and TCP port 6754 open.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal -
Removal -
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
