|Detected||Oct 31 2006 09:42 GMT|
|Released||Oct 31 2006 09:42 GMT|
|Published||Nov 13 2006 13:54 GMT|
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. The size of the backdoor components varies between 8KB to 80KB.
When launched, the backdoor copies its executable file to the Windows system directory:
The backdoor then extracts a DLL file called stu.dll from its body:
The DLL file will then be loaded to the svchost.exe address space, and the original Trojan file will be deleted.
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:
This backdoor is created using a generating program called "editor.exe", which is 24 576 bytes in size. The program interface has the following appearance:
The user can enter an IP address in the generator’s main window. Commands will be received on a specified port from this address. The user can also enter parameters for the system registry auto run key and values for this parameter.
When the right hand button is clicked, the generator copies a file called server.exe to its current folder as setup.exe, and writes data entered by the user to the end of this file in encrypted form.
When the generated file is launched on the victim machine, it will be installed and then attempt to connect to the address which was entered when the backdoor was generated. Commands will be received on this address.
The backdoor is managed via a dedicated program. The program’s interface has the following appearance:
A remote malicious user can use the backdoor to:
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.