For Home

Virus Profile: BackDoor-CCT

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/13/2004
Date Added: 4/13/2004
Origin: Unknown
Length: 17,552 bytes (EXE, FSG-packed)
14,336 bytes (DLL)
Type: Trojan
Subtype: Remote Access
DAT Required: 4351
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • unexpected outgoing HTTP traffic to the domain indicated above
  • existence of the files and Registry keys detailed in this description
  • multiple unexpected instances of IEXPLORE.EXE running in the background (no visible window)

Methods of Infection

The trojan installs itself in the Windows system folder as PRNTA.EXE and PRNTC.EXE, for example:

  • C:\WINNT\SYSTEM32\PRNTA.EXE
  • C:\WINNT\SYSTEM32\PRNTC.EXE

A copy is also dropped in the Windows startup folder as PRNTB.EXE, for example:

  • C:\DOCUMENTS AND SETTINGS\USER2\START
    MENU\PROGRAMS\STARTUP\PRNTB.EXE

A keylogging DLL is installed in %WinDir% as PRNTSVR.DLL:

  • C:\WINNT\PRNTSVR.DLL

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "load32" = C:\WINNT\SYSTEM32\PRNTA.EXE

The following key is changed:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    NT\CurrentVersion\Winlogon "Shell"

from:

  • Explorer.exe

to:

  • Explorer.exe C:\WINNT\SYSTEM32\PRNTC.EXE

The following Registry key is also added:

  • HKEY_CURRENT_USER\SARS

Clipboard contents and logged keystrokes are written to the following files respectively:

  • %WinDir%\prntk.log
  • %WinDir%\prntc.log

The HTML form that is dropped to facilitate sending stolen data to the hacker via HTTP, is written to:

  • %WinDir%\TEMP\feff35a0.htm

A raw MIME message containing stolen data is written to:

  • %WinDir%\TEMP\fa4537ef.tmp

Aliases

Srv.SSA-KeyLogger
   

Virus Characteristics

-- Update Oct 25, 2005 --

This trojan may be infected via e-mails containing malicious website links. At the time of writing, these websites contain the Exploit-AniFile  trojan which downloads and installs this trojan on the victim's machine by exploiting a Windows vulnerability . The compromised machines may be used to propagate the malicious website links via e-mail.

The malicious e-mail may be crafted to contain the following:

To: [youremailaddr]@xxxx.xxx
From: xxxx@xxxx.xxx
Subject: SecuryTeam Order #117457 will be processed manually by our staff.txt
Thank you for your order (#117457)
We will manually process your order and contact you soon by phone or email.
Below you can find the summary of the order:
KEZAAM! Software distribution service
:
Purchased at: http://www.mar[hidden]ware.co.uk/info.html

This trojan bears strong similarities to the W32/Dumaru family (see for example W32/Dumaru.w ). It opens a backdoor on the victim machine, and also steals data from the machine. Such data includes:

  • email passwords
  • application passwords (eg. FAR manager)
  • WebMoney data
  • logged keystrokes
  • clipboard data

The trojan targets applications with specific strings in the window title in an attempt to log keystrokes related to online finiancial transactions. Windows with titles containing any of the following strings are targetted:

  • gold
  • Storm
  • e-metal
  • WebMoney
  • WM Keeper
  • Keeper
  • Fethard
  • fethard
  • bull
  • Bull
  • mull
  • PayPal
  • Bank
  • bank
  • cash
  • ebay
  • ePass
  • iKobo
  • Fidelity

The trojan also harvests data from the temporary internet files on the victim machine.

Data is sent to the hacker via HTTP (a completed HTML form is written to %WinDir%\TEMP\feff35a0.htm, and IEXPLORE.EXE is launched to initiate its posting). Users should block HTTP access to the following domain:

  • http://govno.ws

Stolen data may also be sent to the hacker via email - the trojan contains its own SMTP engine to construct outgoing messages.

The backdoor functionality includes an FTP server, screen captures, webcam control and file execution.

   

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations