McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Amitis (AVP)

• BKDR_AMITIS (Trend)

• Troj/Bdoor-AKZ (Sophos)

Characteristics

-- Update September 11, 2004 --
There are now more than 25 variants of this trojan known to exist.  The 4389 DAT file include detection for a new variant that exploits the ISPWizard Dialer application.  Detection included in the 4389 DAT files may also incorrectly identify other valid uses of this application as the BackDoor-AKZ trojan.  The 4390 DAT files contain corrected detection.
--

This trojan poses as Yahoo! Messenger so that if a firewall program prompts the user to let it access the internet, they will think they are permitting access from a trusted program rather that the trojan. The trojan file comes with the following icon:

If Yahoo! Messenger is not installed with the path the trojan is looking for, the following error message will occur:

If certain Anti-Virus or Security programs are found, it will try to temporarily shut them off.

It has the following file properties:

File Version: 1.0.0.0
Company Name: IDB
Internal Name: Server
Language: English (United States)
Original Filename: Server.exe
Product Name: Yahoo! Messenger
Product Version: 1.00

The trojan copies itself to the Windows Directory. The filename is not static, so it will copy itself as the filename it had when it was run. So, for example, if it was received as FILENAME.EXE, once run it will copy itself as %WinDir%\FILENAME.EXE. It also references the file in the "load" and "run" lines of the WIN.INI file, so that it will be run again when Windows is started up.

For example:

[Windows]
load=c:\windows\server.exe
load=c:\windows\server.exe

Symptoms

Files and WIN.INI entries as detailed above
Open connections on TCP ports 27551, 27470, 27400, 24590, 1046, 4432, 4433, 3456, 2000 & 1256

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Amitis (AVP)

• BKDR_AMITIS (Trend)

• Troj/Bdoor-AKZ (Sophos)

Characteristics

Characteristics -

-- Update September 11, 2004 --
There are now more than 25 variants of this trojan known to exist.  The 4389 DAT file include detection for a new variant that exploits the ISPWizard Dialer application.  Detection included in the 4389 DAT files may also incorrectly identify other valid uses of this application as the BackDoor-AKZ trojan.  The 4390 DAT files contain corrected detection.
--

This trojan poses as Yahoo! Messenger so that if a firewall program prompts the user to let it access the internet, they will think they are permitting access from a trusted program rather that the trojan. The trojan file comes with the following icon:

If Yahoo! Messenger is not installed with the path the trojan is looking for, the following error message will occur:

If certain Anti-Virus or Security programs are found, it will try to temporarily shut them off.

It has the following file properties:

File Version: 1.0.0.0
Company Name: IDB
Internal Name: Server
Language: English (United States)
Original Filename: Server.exe
Product Name: Yahoo! Messenger
Product Version: 1.00

The trojan copies itself to the Windows Directory. The filename is not static, so it will copy itself as the filename it had when it was run. So, for example, if it was received as FILENAME.EXE, once run it will copy itself as %WinDir%\FILENAME.EXE. It also references the file in the "load" and "run" lines of the WIN.INI file, so that it will be run again when Windows is started up.

For example:

[Windows]
load=c:\windows\server.exe
load=c:\windows\server.exe

Symptoms

Symptoms -

Files and WIN.INI entries as detailed above
Open connections on TCP ports 27551, 27470, 27400, 24590, 1046, 4432, 4433, 3456, 2000 & 1256

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A