BackDoor-CZL.dr

Upon launching the PowerPoint document "newplan.ppt", the following opening slide is displayed:

While the slide show is being played, it takes advantage of a vulnerability found in Microsoft Office to silently drop the following files:

%Windir%\%SYSDIR%\wbem\wmiadapt.exe
%Windir%\%SYSDIR%\systhin.dll

For more information regarding the Microsoft Office vulnerability, please visit:

http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

It then adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = Explorer.exe "%Windir%\%SYSDIR%\wbem\wmiadapt.exe"

The file "systhin.dll" is injected it into the system process svchost.exe and contains backdoor capabilities. It attempts to contact a remote ip address to download a file "systanen.exe"

• Remote ip : 220.76.123.xxx
• Port : 6004

NOTE: At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.