Virus Profile: BackDoor-ALI

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	10/1/2001
Date Added:	1/31/2003
Origin:	Unknown
Length:	Svr: 27,136 bytes Driver: 7,264 bytes
Type:	Trojan
Subtype:	Remote Access
DAT Required:	4245
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Port 961 open
Existence of the files VMM32421.EXE (27,136 bytes) or IERK8243.SYS (7,264 bytes).
(These files will not be visible when stealthing is enabled)
Existence of a service named 'Virtual Memory Manager'. This will be visible irrespective of stealthing. The 'Description' field for this service will be blank if stealthing is enabled, or contain the text 'Virtual Memory Manager' if stealthing is not enabled.

Methods of Infection

This remote access trojan is designed to work with a kernel mode driver in order to operate in stealth on the victim machine. It is likely that the backdoor and the driver were installed via a dropper file.

It has been suggested that BackDoor-ALI is somehow related to W32/SQLSlammer.worm. At this time there is no evidence to support this theory.

Aliases

Backdoor.Ierk (AVP), IERK8243, Trojan.Slanret (NAV), WinNT.Ali (CA Vet)

View Virus Characteristics

Virus Characteristics

-- Update March 6, 2003 --

AVERT has received a new variant of the kernel driver stealth module from a customer. This file P2.SYS is 8192 bytes in length.

The module again hooks various low level kernel file, registry and process APIs in order to hide trojans from casual observers and system monitoring software.

The only sign of the presence of this new variant is that the System Info tool shows the entry

P2.SYS PentiumII Processor Driver

in the list of drivers under the Software Environment. Detection of this trojan will be included in 4252 DATs.

-- Update January 31, 2003 --
AVERT is currently analyzing a variant of this threat (filename IPSECHLP.DLL), initial reports suggest that it listens on TCP Port 449 and uses the service name "IPSEC Helper Services". Detection for this .DLL will be included in the next DAT release (4246).

The server component of this Remote Access Trojan utilizes a kernel mode driver to operate in stealth mode. Thus the file and process associated with the backdoor (together with Registry keys relating to it) remain hidden.

The server component (VMM32421.EXE: 27,136 bytes) is detected as BackDoor-ALI by McAfee products running the 4229 DATs or greater.

The kernel mode driver (IERK8243.SYS: 7,264 bytes) is detected as BackDoor-ALI.sys with the 4245 DATs.

Due to its stealthing capabilities, this threat will not be detected by conventional AV scanning after trojan installation has occured: restarting in safe mode is required for detection and removal.

Server Component

When run, the backdoor trojan installs itself as a service on the victim machine. The service characteristics are set under the following Registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmm32421
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMM32421

With the following characteristics:

Description: Virtual Memory Manager
Display Name: Virtual Memory Manager
Image Path: (location of server file)
Startup Type: Automatic

Note: When the stealthing driver is installed on the system as well, these Registry entries will be hidden.

The server opens port 961 on the victim machine.

Kernel Mode Driver

This driver enables other trojans to operate in stealth mode, hiding their process, files and Registry keys. A reboot is required to complete the installation of the stealthing driver.

The following Registry key indicates installation of this driver (this will only be visible when machine is restarted in Safe Mode):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ierk8243

The service has the following characteristics:

Startup Type: Automatic
Image Path: \System32\drivers
DisplayName: ierk8243

The driver hooks low-level Kernel file and Registry I/O functions. The method used for hooking system calls is likely to be similar to that used by well-known legitimate software. The driver contains the following string in its body:

slanretnisys

Back To Overview View Removal Instructions

All Windows Users:
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Manual Removal Instructions

Restart Windows in Safe Mode
Delete the following registry keys: (Information on deleting registry keys)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmm32421
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMM32421
Delete the following files:
- VMM32421.EXE
- IERK8243.SYS
- IPSECHLP.DLL
Restart the computer

Additional Windows ME/XP removal considerations