McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BackDoor-CQG

This page shows details and results of our analysis on the malware BackDoor-CQG

Threat Detail

Malware Type: Trojan

Malware Sub-type: Remote Access

Discovery Date: 2005-04-06

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4463 (2005-04-06)

Updated DAT

4632 (2005-11-18)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2005-04-06

Description Modified

2005-06-15

Malware Proliferation

Characteristics

This detection is for a remote access trojan written with AutoIt script, compiled as stand-alone executable.  There are several variants of this trojan.  This description is a general guide.  Latest variants require the latest DATs for detection and cleaning.

Upon execution, the trojan installs itself into the Windows system directory.  The following file is created in the latest variant:

  • system.mcm

Several utility dlls are copied in the same directory:

  • md5.dll
  • schdwrp.dll
  • au3xtra.dll

The following registry key value is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Microsoft Windows Application" = system.mcm

The following registry keys are created to register .mcm file as executable file.

  • HKEY_CLASSES_ROOT\.mcm
    "(Default)" = mcmfile
  • HKEY_CLASSES_ROOT\.mcm
    "Content Type" = application/x-msdownload
  • HKEY_CLASSES_ROOT\.mcm\PersistentHandler
    "(Default)"={098f2470-bae0-11cd-b579-08002b30bfeb}
  • HKEY_CLASSES_ROOT\mcmfile

When run, the trojan contacts a specific website and downloads other executables.  The trojan posts machine specific information such as machine name, OS, hardware info, etc via HTTP.  The trojan opens several random ports on local machine.  The trojan can perform various backdoor activities on the local machine, including

  • Sending popup messages
  • Upload/download/execute files on the victim machine
  • Information stealing

Symptoms

Existence of the files/Registry keys detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English