Virus:Backdoor.Win32.DSSdoor.c

Detection added May 30 2007 11:21 GMT
Description added Jun 19 2007
Behavior Backdoor
Technical details

This Trojan program provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. The file is 419 969 bytes in size. It is packed using UPX. The unpacked file is approximately 890KB in size. This Trojan is written in Visual Basic.

Installation

When launched, the backdoor installs Visual Basic components to the Windows system directory (%System%):

MSINET.OCX
regobj.dll
SocketX.DLL
SocketX.OCX

It searches the system for the following processes:

*firewall*.exe
*zonealarm*.exe
*zlclient*.exe
frw.exe
nc2000.exe
jammer.exe
cpd.exe
comsocks.exe
Smc.exe
iamapp.exe
persfw.exe
pfwwadmin.exe
Trojan Guarder.exe
looknstop.exe
Lnscfg.exe
aports.exe
PLManager.exe
PLService.exe
awpta.exe
UpPDB.exe
Commview.dll
Anti-Virus&Trojan.exe
LinkFerret.Exe
ItCanNet.exe
PRT.EXE NMain.exe
netscanpro.exe
Tcpview.exe
tcpvcon.exe
Anti-Virus&Spyware.exe
Armor2net.exe
fwsrv.exe
sppfw.exe
AlertWall.exe
MPF.exe
kpf4ss.exe
kpf4gui.exe

The backdoor will search for windows with the headings listed below:

firewall
ZoneAlarm
Net-Commando
Jammer
ComSocks
SPF
AtGuard
Trojan Guarder
Active Ports
PortsLock
AWPTA
CommView
LinkFerret Network Monitor
ItCan.Net Monitor
Net2112 TCPRT
TSCAN PRO
tcpview
Anti-Virus&Trojan
Anti-Virus&Spyware
AlertWall
SafeZone

If the backdoor finds such window headings, it will cease installation.

The backdoor then registers itself in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"DSS" = "<path to Trojan executable file>"

This ensures that the backdoor will be launched each time Windows is booted on the victim machine.

Payload

The Trojan opens a random port and listens for commands from the remote malicious user. The backdoor enables the remote malicious user to:

  • download and launch applications;
  • display messages;
  • add records to the list of hosts in %Systesm%\drivers\etc\hosts;
  • download files from the following resources:
    www.freeiteducation.com
    www.sms-networks.com
    www.clickonteens.com
    www.custombabes.com
    www.hackology.com
    www.dataserverfx.com
    www.dfhdjkhskjdfhkje.com
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry). [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "DSS"
  4. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME