Les informations contenues dans cette rubrique de notre site web sont constamment mises à jour. Afin de vous garantir un contenu le plus actualisé possible, elles sont uniquement diffusées en anglais.

Virus Profile: BackDoor-CHT

Threat Search
Imprimer
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 17/03/2005
Date Added: 25/08/2004
Origin: Unknown
Length: varies
Type: Trojan
Subtype: Remote Access
DAT Required: 4388
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Existence of the files/Registry keys detailed above

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc .
   

Virus Characteristics

This detection is for a remote access trojan written in MSVC.

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as hkdoordll.dll .

(Where %Windir% is the Windows directory, for example C:\WINDOWS)
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

For example:

c:\windows\system32\hkdoordll.dll

The following Registry key(s) is/are added to hook system startup:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netwall "DisplayName" = "netwall"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netwall "ErrorControl" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netwall "ImagePath" = "\??\C:\WINDOWS\system32\Drivers\netwall.sys"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netwall "Start" = 03, 00, 00, 00

Remote Access Functionality

Once running on the victim machine, the server component opens a TCP socket accepting commands sent from the client component on that is injected into various system processes.

The client component offers many functions to the hacker, including: 

  • Sending popup messages
  • Executing any DOS command
  • Playing, stopping, opening closing the CD
  • Force the user to log off
  • Disabling double-click on the victim machine
  • Opening specific websites with the browser
  • Upload/download/execute files on the victim machine
   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
   

Un ordinateur infecté ? Obtenez l'aide d'un expert !

McAfee
Service de suppression des virus

Contactez l'un de nos spécialistes en sécurité par téléphone. Regardez votre PC pendant que nous résolvons le problème à distance.

$89.95 (USD)

Publicité