This page shows details and results of our analysis on the malware BackDoor-AZV

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Remote Access
  • Protection Added: 2003-10-02

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

-- Update Jan 4, 2005 --
There was a recent mass-spamming of a downloader trojan that is proactively detected as BackDoor-AZV.  This trojan attempts to download a new W32/Brepibot variant from 4 different web sites.  The spammed email message may appear as follows:

Subject: Photo Approval Needed
Body: Hello,
Attachment:  (varies, may be one of the following, or others)

  • Article Photos.exe
  • Article+Photos.exe
  • article.exe
  • article_december_#### .exe
  • article_december_#### .exe
  • Photo and Article.exe
  • photo+article.exe

In at least some cases, the files with the .ZIP extension are actually executable files by content and therefore only run when renamed with an executable extension.

-- Update Oct. 14th 2004 --

AVERT has received several field samples with the following subject line: David Beckham Caught With Spanish Girl

The attachment within the email is already detected as BackDoor-AZV in the 4398 Dats.  If successfully executed, the trojan will attempt to connect to IRC via port 6667 for remote commands.

-- Update Dec 11th 2003 --

An additional variant of this remote access trojan has been found in the field, which has been packed with the MoleBox packing application. Detection of this is included in the 4309 DAT files.


AVERT has identified a few incidents of this remote access trojan being spammed to newsgroups and recommend that users disallow scripts when viewing posts, and use a newsgroup reader which has this option. Alternatively this option can be set for the Internet Zone in the security settings of IE5. AVERT also recommends adding ".HTA" to the extension list for pre 4.5 products. The following URL was known to contain the worm:

Since there are multiple versions of this trojan, the icon used may vary. The icon used will typically be misleading or enticing, for example:

Once executed, the trojan creates a mutex to ensure only one instance is running. The name of this mutex varies between variants, for example:

  • botsmutex
  • whatthefuck
  • VidCap32
  • judge

The trojan copies itself to %SysDir% as WIN32SERVER.SCR or WIN32SERVER.EXE ( variant dependent) and hooks the following Registry key to run itself at startup:

Run "Winsock32driver"  =  win32server.scr / win32server.scr 

(where %SYSDIR% is C:\windows\system, C:\winnt\system)

Once running, the trojan attempts to connect to an IRC server (using destination port 6666 or 6667). Subsequents commands may be received via IRC, and include the following:

  • download remote file
  • act as socks4 proxy
  • terminate process
  • read IRC log file
  • Existence of the abovementioned files and registry keys.
  • Firewall reports "Generic Host Process for Win32 Services" requesting for access to an unexpected domain (remote port 6666 or 6667), eg:

  • Accessing URLs which leads the trojan to be downloaded onto the system.
  • Receiving this trojan in HTML emails from newsgroups.

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations