BackDoor-FB.svr.gen

This page shows details and results of our analysis on the malware BackDoor-FB.svr.gen

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4184 (2002-01-30)

Updated DAT

4625 (2005-11-10)

Minimum Engine

5400.1158

File Length

6,144 bytes (UPX compressed)

Description Added

2002-01-28

Description Modified

2002-01-31

Malware Proliferation

Characteristics

A variety of different samples are detected as BackDoor-FB.svr.gen. The trojans in this family are designed to connect to the authors/distributors website to download various files. Typically these files are other trojans or viruses. Below is a description of a specific BackDoor-FB.svr.gen variant, that dropped by W32/Myparty@MM.

When the W32/Myparty@MM virus executable is executed on Windows NT machines, (Windows NT, 2000 or XP) a variant of this backdoor is dropped to the startup folder within the profile of the current user, MSSTASK.EXE:

%userprofile%\Start Menu\Programs\Startup\msstask.exe

This ensures the backdoor is executed upon system startup, at which point it goes memory resident, and the machine is rendered vulnerable.

NB: W32/Myparty@MM only massmails itself and drops the backdoor component if the system date is within the following range:

25th - 29th January 2002 inclusive

Outside of this date range, no backdoor component is dropped.

MSSTASK.EXE is compressed with UPX, and is 6,144 bytes in length (unpacked the file is 152,064 bytes).

Once running, the backdoor tries to connect to the following IP address:

http://209.151.250.170/

in order to download the command file that operates the backdoor.

A second W32/Myparty@MM variant which only operates between 20th-24th January 2002 (hence will not replicate on machines with correctly set date now) drops an identical backdoor component to that described above. The only difference is the date range in which the backdoor is dropped.

Symptoms

  • Presence of the file MSSTASK.EXE (6,144 bytes) in the startup folder within a user's profile.
  • Network traffic to the following IP address: 209.151.250.170. This is where the backdoor command file resides.

Method of Infection

This backdoor is dropped into the Startup folder within a user's profile when the W32/Myparty@MM virus is executed upon an NT (NT/2000/XP) machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants