|
|
|
VIRUS NAME
: Backdoor-AJM
Trojan
Characteristics
This is a remote
access Trojan, and consists of a client controller, and a server slave. The
slave runs memory resident during Windows startup via a registry modification,
and listens on TCP port 10, waiting for instructions from the client controller
component.
If the server slave component is executed on a host system, it will copy itself
to the Windows\system folder as "servidor.exe". It will modify the
registry to load at Windows startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\WinSecurity = (%Windir%)\System\servidor.exe
Symptoms
Firewall alerts that communication
is occuring on TCP port 10, or that
servidor.exe" is attempting
to access the Internet.
Unexplained occurences
such as the CD tray ejecting, hijacking of the mouse or keyboard, or even applications
starting seemingly without user initiation.
Method
Of Infection
If the server slave component is executed on a host system, it will copy itself
to the Windows\system folder as "servidor.exe". It will modify the registry
to load at Windows startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\WinSecurity = (%Windir%)\System\servidor.exe
|
|
|
