Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4302 (2003-11-05) Updated DAT4302 (2003-11-05) |
Minimum Engine
5.1.00 File Length498,688 |
Description Added
2003-10-31 Description Modified2003-11-04 |
Malware Proliferation
Characteristics
This threat is detected as Generic BackDoor.d with the specified DAT release.
This detection is for a remote access trojan written in Delphi.
Installation
The trojan might come with an installation exe. Upon execution, the installation exe copies the trojan into the %Windir% directory as messenger.exe.
(Where %Windir% is the Windows directory, for example C:\WINDOWS)The installation exe creates the following registry key to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Messenger-" = "%Windir%\Messenger.exe"
Remote Access Functionality
Once running on the victim machine, the trojan component opens TCP sockets accepting commands sent from the hacker on port 9696, 3000. The trojan connects to login.icq.com as ICQ client.
The trojan can perform the following actions on victim's machine
- Screen capturing
- System information stealing
- Terminating running processes
- Enumerating drives and folders
Symptoms
- The following port(s) open: 9696, 3000
- Existence of the files/Registry keys detailed above
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants