|
|
|
VIRUS
NAME : BackDoor-ADM
Trojan
Characteristics
When executed for
the first time on the victim machine, this remote access trojan may display
a moving image of a running man in the foreground, together with a shrunk
window (sometimes) captioned 'Unknown GUY':
Additionally the trojan opens up port 22784 in order to listen for remote
commands from hackers running the client component of this backdoor.
The trojan copies itself to the Windows system directory, and to ensure
its execution upon subsequent system startup, sets the following Registry
key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Syscheck" = C:\WINDOWS\System\Syscheck.exe /s
Obviously the filenames
used by the trojan and the name of the Registry key may vary between versions
of this backdoor. (The /s switch invokes silent mode, stopping the above
graphic being displayed.)
The server component of this trojan contains code to email the hacker (via
port 80, utilising a WWPMsg.dll library) details of victim machines (port
number, IP address).
Server functions may vary between different versions of this trojan, but
include actions typical to many common backdoors:
- shutdown machine
- open/close CD-ROM
tray
- read PWL (Windows
password) files
- file system operations
(upload, download, copy, delete, execute etc.)
- capture screendump
of victim machine
- perform taskbar
operations
- send message
- move/disable mouse
The indicated engine/DATs
detect and delete this backdoor trojan, and remove the Registry hook it
employs, detailed above.
Symptoms
Presence of the server file in the Windows system directory, coupled with
the Registry key detailed above.
Method
Of Infection
The server installs itself on the victim machine when executed, copying
itself to the Windows system directory and hooking the Registry.
|
|
|
