This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
4184 (2002-01-30)Updated DAT
6,144 bytes (UPX compressed)
A variety of different samples are detected as BackDoor-FB.svr.gen. The trojans in this family are designed to connect to the authors/distributors website to download various files. Typically these files are other trojans or viruses. Below is a description of a specific BackDoor-FB.svr.gen variant, that dropped by W32/Myparty@MM.
When the W32/Myparty@MM virus executable is executed on Windows NT machines, (Windows NT, 2000 or XP) a variant of this backdoor is dropped to the startup folder within the profile of the current user, MSSTASK.EXE:
This ensures the backdoor is executed upon system startup, at which point it goes memory resident, and the machine is rendered vulnerable.
NB: W32/Myparty@MM only massmails itself and drops the backdoor component if the system date is within the following range:25th - 29th January 2002 inclusive
Outside of this date range, no backdoor component is dropped.
MSSTASK.EXE is compressed with UPX, and is 6,144 bytes in length (unpacked the file is 152,064 bytes).
Once running, the backdoor tries to connect to the following IP address:
in order to download the command file that operates the backdoor.
A second W32/Myparty@MM variant which only operates between 20th-24th January 2002 (hence will not replicate on machines with correctly set date now) drops an identical backdoor component to that described above. The only difference is the date range in which the backdoor is dropped.
This backdoor is dropped into the Startup folder within a user's profile when the W32/Myparty@MM virus is executed upon an NT (NT/2000/XP) machine.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: