|
Friday, 08 April 2005 |
Backdoor.Verify is a back door Trojan that allows unauthorised remote access to the compromised computer.
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Backdoor.Verify is executed, it performs the following actions:
Copies itself as the following:
%System%MsIdle32.exe - a copy of the Trojan
%System%MsIdle32Hook.dll - a Trojan module that performs keylogging functions
%System%MsSysInfo32.exe - a Trojan module that restarts the MsIdle32.exe process if ended
C:MsBootMgr.exe - a copy of the Trojan
Note: %System% is a variable that refers to the System folder.
By default this is C:WindowsSystem (Windows 95/98/Me),
C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the values:
"MsIdle32.exe" = "C:WINNTsystem32MsIdle32.exe"
"MsBootMgr.exe" = "C:MsBootMgr.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that Backdoor.Verify runs every time Windows starts.
Adds the value:
"Shell" = "C:WINNTsystem32MsIdle32.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
so that Backdoor.Verify runs every time Windows starts.
Modifies the values:
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
"DisableNotifications" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
to disable Windows security features.
Creates the following registry entries:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList"C:WINNTsystem32"MsIdle32.exe" = "C:WINNTsystem32MsIdle32.exe:*:Enabled:Remote Access"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden" = "2"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths"pVF.exe[default]" = "%System%MsIdle32.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpVF"pVF_Version" = "822"
to enable its back door functionalities.
Monitors the following back door components.
MsIdle32.exe
MsSysInfo32.exe
If any of these processes are ended, the Trojan restarts it.
Logs keystrokes and system events, and saves the information in the following files:
%System%pMK_kLog.txt
%System%pMK_kLogF.txt
%System%pMK_wLog.txt
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Ends the following security-related processes:
ZONEALARM.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TBSCAN.EXE
SWEEP95.EXE
F-STOPW.EXE
SPHINX.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
F-PROT95.EXE
F-PROT.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NISUM.EXE
NAVWNT.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EX
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FPROT.EXE
FINDVIRU.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPDOS32.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
PVIEW.EXE
TASKMGR.EXE
REGEDIT.EXE
MSCONFIG.EXE
D32.EXE
BKAV2002.EXE
PAVSCHED.EXE
NMAIN.EXE
NAVW32.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
F-AGNT95.EXE
WFINDV32.EXE
AVPM.EXE
AVPCC.EXE
AVP32.EXE
Attempts to create copies of itself on all fixed drives in directories containing the following strings:
user
system
book
game
pic
media
download
upload
share
music
doc
program
soft
Copies will have one of the following filenames:
MU Korea new!!.exe
Shower girl.exe
_-_Click_-Me!_.exe
Microsoft Office 2003 Crack.exe-_-Secret-_-.exe
ACDSee 8.0 beta.exe
Free telephone.exe
I want to say that....exe
Age of Empires new !!!.exe
MU online-update.exe
kiss me.jpg.exe
Windows XP update new.exe
Mirosoft Windows Longhorn beta test.exe
Monster.jpg.exe
Love you....exe
Hack Yahoo! Pass.exe
Linkin Park.jpg.exe
My Diary.doc.exe
Top Secret.exe
Manga news.html.exe
Kid1412.jpg.exe
Sherlock Homes.doc.exe
Conan Doyle.jpg.exe
Ichi shinpo.jpg.exe
Yahoo! Smiley new !.exe
FiFa WorldCup 2006 Beta.exe
Nero 7.0 Full.exe
WinRAR 4.0 Full.exe
fun fun fun.exe
Fantasy XII Update.exe
Half-Life 2 Update.exe
Windows XP source code.exe
Norton Antivirus Update.exe
Spy search and destroy new!.exe
bikini.jpg.exe
UFO.doc.exe
The X-files.jpg.exe
XXX-Cindy.jpg.exe
XXX-Britney Spears.jpg.exe
Sexy girl.jpg.exe
xxx_Girl.jpg.exe
BinLaden PPP.jpg.exefucker.jpg.exe
Sweet Valetine.exe
Love to kick boot.exe
Yahoo! Account Cracker.exe
WinAmp 6.0 Full.exe
nude_girl.jpg.exe
H.O.T news.html.exe
ZaiZai smileys.jpg.exe
Hillary Duff - nude.jpg.exe
Photoshop 9.0 Full.exe
Hot Sexxxxx.avi.exe
Opens a back door on TCP port 1906 and 1907 that allows the remote attacker to perform any of the following actions:
Display a message on the compromised computer
Block and unblock input from the user
Beep a number of times
Close and eject CD drive
Hide, disable, and enable Start Menu
Enable and disable Task Manager and Registry tools
Send text message to active window
List and end processes
List and close Windows
End antivirus programs
Flood the infected computer with messages
Set window text
Freeze Windows
Set Master Volume
Play wave and MIDI files
View system information about the compromised computer
View and clear key log
View IP Table
Add a user with a blank password
Display ftp settings
Chat with victim
Run programs
Send e-mail
Download and upload files
Downloads and installs updates to the back door from the following Web sites:
[domain removed].com/download/pMK_Veryfun.exe
[domain removed].com/rhspyx007/pMK_Veryfun.exe
[domain removed].com/rhspyx007/pMK_Veryfun.exe
To delete the Winlogonshell value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
In the right panel, delete the value:
"Shell" = "C:WINNTsystem32MsIdle32.exe"
Exit regedit
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right panel, delete the values:
"MsIdle32.exe" = "C:WINNTsystem32MsIdle32.exe"
"MsBootMgr.exe" = "C:MsBootMgr.exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
In the right panel, reset the value, if appropriate:
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
"DisableNotifications" = "0"
Navigate to the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
In the right panel, delete the value:
"C:WINNTsystem32"MsIdle32.exe" = "C:WINNTsystem32MsIdle32.exe:*:Enabled:Remote Access"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
In the right panel, delete the value:
"Hidden" = "2"
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths
In the right panel, delete the value:
"pVF.exe[default]" = "%System%MsIdle32.exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpVF
In the right panel, delete the value:
"pVF_Version" = "822"
Exit the Registry Editor.
|
