BackDoor-AZV

This page shows details and results of our analysis on the malware BackDoor-AZV

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4297 (2003-10-08)

Updated DAT

4884 (2006-10-30)

Minimum Engine

5400.1158

File Length

Various

Description Added

2003-10-02

Description Modified

2006-01-04

Malware Proliferation

Characteristics

-- Update Jan 4, 2005 --
There was a recent mass-spamming of a downloader trojan that is proactively detected as BackDoor-AZV.  This trojan attempts to download a new W32/Brepibot variant from 4 different web sites.  The spammed email message may appear as follows:

Subject: Photo Approval Needed
Body: Hello,
Attachment:  (varies, may be one of the following, or others)

  • Article Photos.exe
  • Article+Photos.exe
  • article.exe
  • Article.zip
  • article_december_#### .exe
  • article_december_#### .exe
  • Photo and Article.exe
  • photo+article.exe
  • photo+article.zip

In at least some cases, the files with the .ZIP extension are actually executable files by content and therefore only run when renamed with an executable extension.
---

-- Update Oct. 14th 2004 --

AVERT has received several field samples with the following subject line: David Beckham Caught With Spanish Girl

The attachment within the email is already detected as BackDoor-AZV in the 4398 Dats.  If successfully executed, the trojan will attempt to connect to IRC via port 6667 for remote commands.

-- Update Dec 11th 2003 --

An additional variant of this remote access trojan has been found in the field, which has been packed with the MoleBox packing application. Detection of this is included in the 4309 DAT files.

--

AVERT has identified a few incidents of this remote access trojan being spammed to newsgroups and recommend that users disallow scripts when viewing posts, and use a newsgroup reader which has this option. Alternatively this option can be set for the Internet Zone in the security settings of IE5. AVERT also recommends adding ".HTA" to the extension list for pre 4.5 products. The following URL was known to contain the worm:

http://home.attbi.com/(blocked)/ChristinaAguilera.scr

Since there are multiple versions of this trojan, the icon used may vary. The icon used will typically be misleading or enticing, for example:

Once executed, the trojan creates a mutex to ensure only one instance is running. The name of this mutex varies between variants, for example:

  • botsmutex
  • whatthefuck
  • VidCap32
  • judge

The trojan copies itself to %SysDir% as WIN32SERVER.SCR or WIN32SERVER.EXE ( variant dependent) and hooks the following Registry key to run itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Winsock32driver"  =  win32server.scr / win32server.scr 

(where %SYSDIR% is C:\windows\system, C:\winnt\system)

Once running, the trojan attempts to connect to an IRC server (using destination port 6666 or 6667). Subsequents commands may be received via IRC, and include the following:

  • download remote file
  • act as socks4 proxy
  • terminate process
  • read IRC log file

Symptoms

  • Existence of the abovementioned files and registry keys.
  • Firewall reports "Generic Host Process for Win32 Services" requesting for access to an unexpected domain (remote port 6666 or 6667), eg:
    • hackarmy.tk
    • packets.kicks-ass.org

Method of Infection

  • Accessing URLs which leads the trojan to be downloaded onto the system.
  • Receiving this trojan in HTML emails from newsgroups.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants