Virus Profile: BackDoor-CIP

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/15/2004
Date Added: 9/15/2004
Origin: Unknown
Length: 10,169bytes
Type: Trojan
Subtype: Remote Access
DAT Required: 4391
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

The following port open: 1056
Existence of the files/Registry keys detailed above.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

   

Virus Characteristics

This detection is for a remote access trojan that has been packed FSG.

Installation
 Upon execution, the trojan installs itself into the %SysDir% directory as mcsmss.exe.

The trojan creates the following registry key:
HKEY_CURRENT_USER\Software\samb\mcsmss\mzu

The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "cmssSystemProcess" = %SysDir%\csmss.exe

The trojan changes the following registry key:

 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
              "Start Page"= about:blank

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
              "Start Page"= about:blank

Once running on the victim machine, the server component opens a TCP socket accepting commands sent from the client component on port 1056.

   
Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.