virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME: BackDoor-ABN



Trojan Characteristics

NB: The first variant of this Trojan is detected with the 4190 DATs. Detection of a later variant requires the latest daily DATs - link below. (Detection will be included in next full DAT release.)
When the server component of this Remote Access Trojan (dubbed 'AceBot' by its author) is executed on the victim machine, the Trojan copies itself to the Windows System directory as a randomly named executable, deleting the original file. For example:

    C:\WINDOWS\SYSTEM\TJSTBU.EXE (163,840 bytes)
In testing the Trojan was observed to disable the personal firewall in use. Strings within the Trojan suggest that the following personal firewalls will be bypassed:
  • Sygate Personal Firewall
  • Tiny Personal Firewall
  • ZoneAlarm Pro
  • ZoneAlarm
The Trojan sets the following Registry key to ensure it is executed at subsequent system startups (adjust the filename as necessary):
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
    \Run "Microsoft Diagnostic" = C:\WINDOWS\SYSTEM\TJSTBU.EXE
Once running, the Trojan attempts to connect to an IRC server, in order to join a channel and listen for remote commands. Strings within the server suggest a variety of functions may be performed remotely. These include the following:
  • Shutdown server (self kill)
  • Issue channel message
  • Sleep
  • Update server
  • Run file
  • Download files
  • Send packets
  • Logoff machine
  • Shutdown machine

NB: Due to the wide variety of functions offered by this Remote Access Trojan, the payload danger is highly variable. Also, since this Trojan appears to be able to update itself, other functions may also be possible.

Code within the server suggests that it is able to spread between machines via the local network using shared drives. If successful, the worm attempts to copy itself to the following location (directory is hardcoded) on the remote machine:

\WINDOWS\Start Menu\Programs\Startup\MSSG.EXE

Network propagation was not observed during testing, suggesting that this infection method is triggered by a remote command.


Symptoms

The existence of a oddly named .EXE file of length 163,840 bytes in the Windows system directory.
Disabled personal firewall


Method Of Infection

The Trojan infects a machine upon its initial execution. Thereafter, it is executed at system startup thanks to a Registry hook.

 

 

 
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

symantec volume licensing

mcafee volume licensing
Online services
Mcafee clinic
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners