BackDoor-CGZ

This page shows details and results of our analysis on the malware BackDoor-CGZ

Download Current DAT: 6613

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 2005-03-18

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This trojan also queries DNS servers in the Internet to check if the infected machine is connected to the Internet.

Minimum DAT

4383 (2004-08-04)

Updated DAT

4769 (2006-05-24)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2004-08-04

Description Modified

2006-07-07

Malware Proliferation

Characteristics

When executed this Backdoor installs the following files in the system:

%WINDIR%\wints.ini ( 49 bytes )
%WINDIR%\timed.exe ( 20044 bytes )
%WINDIR%\timer.exe
c:\documents and settings\%USER%\local settings\temp\dcat.log

This trojan also configures itself to load at system startup.

Registry keys are also created as the following:

hkey_local_machine\software\cat\myid="VMG-CLIENT/XP/WqQvXmoiFg7q"
hkey_local_machine\software\cat
hkey_local_machine\software\microsoft\windows\currentversion\run
\timer="%WINDIR%\timer.exe /i"

Symptoms

Presence of the files and registry keys mentioned.

The applications creates the following network connection(s):

timed.exe server:www.google.com port:80
timer.exe server:www.google.com port:80

The executable filename can vary.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations