Virus Profile: BackDoor-AZV

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/2/2003
Date Added: 10/2/2003
Origin: Unknown
Length: Various
Type: Trojan
Subtype: Remote Access
DAT Required: 4297
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Existence of the abovementioned files and registry keys.
  • Firewall reports "Generic Host Process for Win32 Services" requesting for access to an unexpected domain (remote port 6666 or 6667), eg:
    • hackarmy.tk
    • packets.kicks-ass.org

Methods of Infection

  • Accessing URLs which leads the trojan to be downloaded onto the system.
  • Receiving this trojan in HTML emails from newsgroups.

Aliases

Backdoor.Hackerarmy (kasp), Troj/Hackarmy-A (Sophos), W32/Rawbot.worm
   

Virus Characteristics

-- Update Jan 4, 2005 --
There was a recent mass-spamming of a downloader trojan that is proactively detected as BackDoor-AZV.  This trojan attempts to download a new W32/Brepibot variant from 4 different web sites.  The spammed email message may appear as follows:

Subject: Photo Approval Needed
Body: Hello,
Attachment:  (varies, may be one of the following, or others)

  • Article Photos.exe
  • Article+Photos.exe
  • article.exe
  • Article.zip
  • article_december_#### .exe
  • article_december_#### .exe
  • Photo and Article.exe
  • photo+article.exe
  • photo+article.zip

In at least some cases, the files with the .ZIP extension are actually executable files by content and therefore only run when renamed with an executable extension.
---

-- Update Oct. 14th 2004 --

AVERT has received several field samples with the following subject line: David Beckham Caught With Spanish Girl

 The attachment within the email is already detected as BackDoor-AZV in the 4398 Dats.  If successfully executed, the trojan will attempt to connect to IRC via port 6667 for remote commands.

-- Update Dec 11th 2003 --

An additional variant of this remote access trojan has been found in the field, which has been packed with the MoleBox packing application. Detection of this is included in the 4309 DAT files.

--

AVERT has identified a few incidents of this remote access trojan being spammed to newsgroups and recommend that users disallow scripts when viewing posts, and use a newsgroup reader which has this option. Alternatively this option can be set for the Internet Zone in the security settings of IE5. AVERT also recommends adding ".HTA" to the extension list for pre 4.5 products. The following URL was known to contain the worm:

http://home.attbi.com/(blocked)/ChristinaAguilera.scr

Since there are multiple versions of this trojan, the icon used may vary. The icon used will typically be misleading or enticing, for example:

Once executed, the trojan creates a mutex to ensure only one instance is running. The name of this mutex varies between variants, for example:

  • botsmutex
  • whatthefuck
  • VidCap32
  • judge

The trojan copies itself to %SysDir% as WIN32SERVER.SCR or WIN32SERVER.EXE ( variant dependent) and hooks the following Registry key to run itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Winsock32driver"  =  win32server.scr / win32server.scr 

(where %SYSDIR% is C:\windows\system, C:\winnt\system)

Once running, the trojan attempts to connect to an IRC server (using destination port 6666 or 6667). Subsequents commands may be received via IRC, and include the following:

  • download remote file
  • act as socks4 proxy
  • terminate process
  • read IRC log file
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations