BackDoor-DNM

--- Update April 04, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at

http://www.darkreading.com/document.asp?doc_id=150052

Upon execution, this trojan copies itself into the %System32% folder as "CbEvtSvc.exe"

It then launches the new executable as a new system service.

Files Added

%system32%\CbEvtSvc.exe

Registry entries added

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC "NextInstance"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Class"
   Data: LegacyDriver
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ClassGUID"
   Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "ConfigFlags"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "DeviceDesc"
   Data: CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Legacy"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000 "Service" Data: CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "*NewlyCreated*"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Control "ActiveService"
   Data: CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "DisplayName"
   Data: CbEvtSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ErrorControl"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ImagePath"
   Data: %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "ObjectName"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Opt"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Start"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc "Type"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "0"
   Data: Root\LEGACY_CBEVTSVC\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "Count"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum "NextInstance"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security "Security"

After a long duration (~30 mins), this trojan downloads additional malware programs form different websites.

• http://digitaltreath.info/a[REMOVED].exe
• http://207.10.234.217/ldrctl/user/2[REMOVED].exe
• http://digitaltreath.info/d[REMOVED].exe

• Presence of files and registry entries mentioned.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.