McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BackDoor-DMD

This page shows details and results of our analysis on the malware BackDoor-DMD

Threat Detail

Malware Type: Trojan

Malware Sub-type: N/A

Discovery Date: 2007-08-16

Next Steps:

Overview

  • Detection was added to cover protection against a backdoor trojan originally called "mspass.exe" , having a filesize of 108.032 bytes.


Minimum DAT

5100 (2007-08-17)

Updated DAT

5222 (2008-02-04)

 Minimum Engine

5.1.00

File Length

108.032

 Description Added

2007-08-16

Description Modified

2007-08-16

Malware Proliferation

Characteristics

Detection was added to cover protection against a backdoor trojan originally called "mspass.exe" , having a filesize of 108.032 bytes.

The file is internally compressed with the upx packer.

The file is created with the msvb50 development tool.

The file pretends to be related to Instant Messenger Password Recovery.

Upon execution, it runs silently, no gui messages appear on the screen.

It copies itself as msjvms32.exe to the %windows\%system directory and creates a registry entry to launch itself automatically upon system start,  for example on a Win2000 system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MsJavaVirtualMachin32" ,
  • with Data: c:\winnt\system32\msjvms32.exe (filesize 108.032 bytes)

To enhance its chances of working properly, it may also drop the file MSWINSCK.OCX to the system , this is a regular file as can be found on WinNT based systems.

It may try to disable the firewall , download other files & upload grabbed data.

The applications creates the following network connection(s):

  •  129.##.#.248:6667 (irc - the exact ip address has been modified with # markings on purpose here)  

 

 

 

Symptoms

  • Presence of the file(s) "mspass.exe" and/or "msjvms32.exe" , having a filesize of 108.032 bytes.
  • Presence of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MsJavaVirtualMachin32" ,  with Data: c:\winnt\system32\msjvms32.exe (filesize 108.032 bytes)
  • Unexpected network traffic to 129.##.#.248:6667 (irc - the exact ip address has been modified with # markings on purpose here)  

 

 

Method of Infection

  • Manual infection - there's no exploit associated with it.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English