Backdoor-DKT

This page shows details and results of our analysis on the malware Backdoor-DKT

Overview

-- Update February 2, 2007--
This threat is considered to be a Low-Profiled risk due to media attention at: http://blog.washingtonpost.com/securityfix/2007/02/official_superbowl_site_pushin.html?nav=rss_blog

An EXTRA.DAT for Backdoor-DKT is currently available via the Extra.dat Request Page.
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. This trojan will be downloaded when exploited the MS07-004 vulnerability, visiting the SuperBowl 2006 webpage (The Dolphin Stadium website).


Minimum DAT

4956 (2007-02-05)

Updated DAT

4974 (2007-03-01)

Minimum Engine

5400.1158

File Length

20,992

Description Added

2007-02-02

Description Modified

2007-02-02

Malware Proliferation

Characteristics

This backdoor is a trojan dropped by a Generic Dropper malware. The original malware was hidden on a webpage of the SuperBowl (The Dolphin Stadium website). An iframe would lead the user to another website which would try to exploit the MS07-004 vulnerability and download the dropper component.

When the dropper is downloaded it will install the backdoor as a service of name MSMGS.EXE.

Symptoms

The backdoor will communicate with remote website to get instructions, and expect the following responses:
- insert OK
- update OK
So it can update itself and send information. A new service will be created in the machine, called MSMSGS.EXE, spoofing the company name as Kaspersky Lab.

Method of Infection

This variant will be dropped by a Generic Dropper.p, which will be downloaded from an exploitation of MS07-004, which can be triggered visiting special crafted webpages.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants