BackDoor-EMN

This backdoor is related to the newly discovered Internet Explorer 0-day, according to the CVE-2010-0806 and Microsoft security advisory: http://www.microsoft.com/technet/security/advisory/981374.mspx

When run, the malware will create copy itself to:

• C:\Documents and Settings\<USERNAME>\Local Settings\Temp\note.exe
• C:\Documents and Settings\<USERNAME>\Local Settings\Temp\clipsvc.exe
• C:\Documents and Settings\<USERNAME>\Local Settings\Temp\wshipl.dll

And create a registry key to ensure that it will run when the system restarts:

•  Software\Microsoft\Windows\CurrentVersion\Run\note: "C:\Documents and Settings\<USERNAME>\Local Settings\Temp\note.exe -installkys"

• Presence of the files mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component
• Network connection to remote host notes.topix21century.com

• This trojan infects a machine after the exploitation of the Internet Explorer vulnerability described at http://www.microsoft.com/technet/security/advisory/981374.mspx

Also, as a general rule:

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).