McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BackDoor-AUZ.dll

This page shows details and results of our analysis on the malware BackDoor-AUZ.dll

Threat Detail

Malware Type: Trojan

Malware Sub-type: Application extension

Discovery Date: 2005-12-26

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4659 (2005-12-26)

Updated DAT

6153 (2010-10-31)

 Minimum Engine

5.3.00

File Length

varies

 Description Added

2005-12-26

Description Modified

2010-08-23

Malware Proliferation

Characteristics

Update - 23/08/2010
One of the recent variants has the capabiltilities to act as a FTP server.
Also, it can answer and execute several commands, like:

Command...........Description
?.................Help List
exit..............exit system
state.............Examine Live Open Services.
delfile...........delfile filepath,del file
lcxstop...........stop lcx
xftpdown..........xftp host user pwd remotefilepath localfilepath,down file
xftpup............xftp host user pwd filepath,copy file to FtpServer
ftpsvrstop........stop ftp server
ftpsvr............start ftp server [port] [path] [user] [password]
smb...............smb port
screen............screen filepath,copy screen to file
info..............Get system info
findpass..........Get all logon user's username and password
restart...........reboot system
geturl............geturl url [-y or -n],get file from 'url'
pskill............pID,Kill the process of remote machine
pslist............Get process list from remote machine
lcx...............Transmit Port
xver..............Get the version installed

Symptoms

The service is visible under safe mode.
Unusual/unexpected ports open on machine.
UnUsual/unexpected network activities.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. Hacker can break into system and installs the service manually.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

United States - English