McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BackDoor-BBB

This page shows details and results of our analysis on the malware BackDoor-BBB

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 2003-10-26

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4300 (2003-10-29)

Updated DAT

5283 (2008-04-28)

 Minimum Engine

5.1.00

File Length

35,840 bytes

 Description Added

2003-10-26

Description Modified

2003-10-26

Malware Proliferation

Characteristics

This remote access trojan opens a TCP port on the local system, and connects to a specified IRC server/channel. Reports describe this trojan being spammed in an email message as follows:

Subject: hey, stop send letters to me!
Body: Hey!

Your computer sending e-mail virus Sobig.f!
I recieved message with it three times from you.
I think your PC is infected and many of your friends
and other people get infected messages.
It is not so new virus, why you didn't patch?
Please stop it, Find WMDWM (Sobig killer) somewhere
or run it from my attach. It file can kill only Sobig.f
from your computer and stop the spam from your PC.

Uff... bye...

Attachment: WMDVM.EXE

When the trojan is run, it may create a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run MyApplet update = %trojan path%

The trojan contacts the irc server named irc.wenet.ru  creating TCP traffic on port 6667.  TCP port 21653 is opened on the local system to allow a remote attacker to connect to the compromised system to control the trojan.

Symptoms

  • Unexpected connections to the server irc.wenet.ru
  • System listening on TCP port 21653

Method of Infection

This trojan was reportedly spammed to many email addresses.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

United States - English