This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
4297 (2003-10-08)Updated DAT
-- Update Jan 4, 2005 --
There was a recent mass-spamming of a downloader trojan that is proactively detected as BackDoor-AZV. This trojan attempts to download a new W32/Brepibot variant from 4 different web sites. The spammed email message may appear as follows:
Photo Approval Needed
Attachment: (varies, may be one of the following, or others)
In at least some cases, the files with the .ZIP extension are actually executable files by content and therefore only run when renamed with an executable extension.
-- Update Oct. 14th 2004 --
AVERT has received several field samples with the following subject line: David Beckham Caught With Spanish Girl
The attachment within the email is already detected as BackDoor-AZV in the 4398 Dats. If successfully executed, the trojan will attempt to connect to IRC via port 6667 for remote commands.
-- Update Dec 11th 2003 --
An additional variant of this remote access trojan has been found in the field, which has been packed with the MoleBox packing application. Detection of this is included in the 4309 DAT files.
AVERT has identified a few incidents of this remote access trojan being spammed to newsgroups and recommend that users disallow scripts when viewing posts, and use a newsgroup reader which has this option. Alternatively this option can be set for the Internet Zone in the security settings of IE5. AVERT also recommends adding ".HTA" to the extension list for pre 4.5 products. The following URL was known to contain the worm:
Since there are multiple versions of this trojan, the icon used may vary. The icon used will typically be misleading or enticing, for example:
Once executed, the trojan creates a mutex to ensure only one instance is running. The name of this mutex varies between variants, for example:
The trojan copies itself to %SysDir% as WIN32SERVER.SCR or WIN32SERVER.EXE ( variant dependent) and hooks the following Registry key to run itself at startup:
Run "Winsock32driver" = win32server.scr / win32server.scr
(where %SYSDIR% is C:\windows\system, C:\winnt\system)
Once running, the trojan attempts to connect to an IRC server (using destination port 6666 or 6667). Subsequents commands may be received via IRC, and include the following:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).