|
|
|
TROJAN
NAME : BackDoor-AJY
Trojan
Characteristics
This is a remote access
trojan. When run, it copies itself to the SYSTEM directory and creates a registry
run key to load itself at startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Ms Office=c:\windows\system\MsOffice.exe
The trojan opens TCP port
1533 and attempts to send an email notification message, using the SMTP server
mail.wanadoo.fr, with the following information:
To: trojed@wanadoo.fr
From: ed13015@wanadoo.fr
Subject: TrOjEd!!! 5.0
The message body contains the IP address of the infected machine.
If an error occurs while sending the email, an error message is displayed.
Symptoms
- Presence of MsOffice.exe (192,259 bytes) in the %SysDir% directory.
- Port 1533 being left opened
Method
Of Infection
Remote access trojans give an attacker a method for connecting to the compromised
system and performing various tasks. This remote access trojan is designed to
have many capabilities, such as:
- Send email
- Execute a built-in FTP server
- Open/close CD-ROM drive door
- Shutdown Windows
- Put Windows in Standby mode
- Retrieve Windows product key, and version numbers
- Hide the Start Button
- Record typed keystrokes
- Capture screenshots
- Retrieve system information (CPU, RAM, Computer Name)
- Kill tasks
|
|
|
