This detection is for backdoor trojan that has rootkit capabilities. This backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges. This backdoor has also password-stealing capabilities and can log keystrokes of the system.
This backdoor removes other backdoor and other trojans installed in the system.
This also disable security related products.
-- Update March 6, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
Upon execution, it drops the following files:
%Windir% is windows directory usually C:\Windows
%Temp% is Windows Temp folder usually C:\Documents and Settings\[USERNAME]\Local Settings\Temp
It registers the rootkit component as:
ImagePath = \??\%Windir%\system32\drivers\[random characters].sys
It adds the following registry allowing the rootkit to execute even at SafeMode:
It adds another autostart entry for one of the dropped file pertaining to deletion of TDSS related Malware
tdss = %Temp%\[random numbers].exe
It creates the following mutex:
This backdoor checks if the current users has Administrator previledges. If the user has no Admin right, this backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges.
It connects to the following sites:
Once running, the hacker is able to perform various tasks, including:
Confidential Information includes the following:
- system information such as OS installed, useranme, and other global information
- network information such as netstats, netusers, ip addresses
- installed applications
- visited websites and cookies
- Outlook Express, SMTP, POP3, and IMAP
- FlashFXP, RimArts, WinProxy, WinAppsPlanet
- WindowsLive,WebDrive, America Online
- Google Talk, Google Desktop, Poppy for Windows
This also removes other backdoor and other trojans installed in the system.
It terminates processes and deletes files that contains the following strings:
This backdoor also delete autorun registry if the above files has registry referenced in
This backdoor also deletes the following files if found at Windows System directory:
This backdoor also deletes other malware entries in the following registry:
Most of the registry, files and processes it targets to remove are related to the following:
This backdoor disables AVG, Avira, CA, Outpost, Kaspersky, and Windows Defender security products and also disables Windows Firewall by sending malformed messages to its windows.
This backdoor tries to identify possible malicious SYS files found in %Windir%\system32\drivers folder and attempts to delete it. Doing so may also delete normal SYS files.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).