McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BackDoor-DOQ.gen.e

This page shows details and results of our analysis on the malware BackDoor-DOQ.gen.e

Threat Detail

Malware Type: Trojan

Malware Sub-type: Generic

Discovery Date: 2009-06-03

Next Steps:

Overview

The BackDoor-DOQ.gen.e trojan has a number of threat vectors such as connecting to IRC, downloading more malware from a remote site, spreading via usb and network shares.


Minimum DAT

5635 (2009-06-03)

Updated DAT

5759 (2009-10-02)

 Minimum Engine

5.2.00

File Length

N/A

 Description Added

2009-06-03

Description Modified

2009-07-20

Malware Proliferation

Characteristics

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

 

On execution, it creates and executes its copy smsg.exe from %SysDir% folder. It also creates a driver file sysdrv32.sys in %SysDir%\drivers folder which is detected as Generic Rootkit.g.

It connects to remote host b.vsxxxx.com on TCP/80 port and downloads following file:

  • %USERPROFILE%\local settings\temp\76.exe

It then copies itself into the %SysDir% folders as follows:

  • %SysDir%\00.scr
  • %SysDir%\04.scr
  • %SysDir%\06.scr
  • %SysDir%\07.scr
  • %SysDir%\08.scr
  • %SysDir%\10.scr
  • %SysDir%\11.scr
  • %SysDir%\12.scr
  • %SysDir%\13.scr
  • %SysDir%\14.scr
  • %SysDir%\15.scr
  • %SysDir%\16.scr
  • %SysDir%\77.scr

It creates following registry entries to start itself on system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Windows System Spooler = %SysDir%\smsg.exe
  • HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL
    (Default) = "Service"
  • HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL
    (Default) = "Service"

It also creates following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    Type = 00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    Start = 00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    ErrorControl = 00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    ImagePath = %SysDir%\drivers\sysdrv32.sys 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    DisplayName = "Play Port I/O Driver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
    Group = "SST wanport drivers"

To bypass firewall restrictions it creates following registry entry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %SysDir%\smsg.exe "%SysDir%\smsg.exe:*:Microsoft Enabled"

It spreads via network shares and removable drives by creating its copy as lan.exe and an autorun.inf file in the removable drives, which will run the malware automatically, if a systems which use the removable drive are set to Autorun.

It connects to IRC Server running on remote host b.vsxxxx.com on TCP/988 port and listens for commands from the control server as shown below:

 

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

This malware may spread by its intented method of infected removable drives, network shares.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English