Virus Profile: Generic BackDoor!bdm

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	10/29/2009
Date Added:	10/29/2009
Origin:	N/A
Length:	N/A
Type:	Trojan
Subtype:	N/A
DAT Required:	5786
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

File Name : Xp.exe
Size         : 66,048 bytes
MD5        : 0709C498C40B4987B0E181B00274C7B6
SHA1        : 45D3C1023A160B2F7D07CF5A508756C391985752

Aliases

Kaspersky :Trojan.Win32.Dialer.ext
Ikarus       :Trojan.Win32.Dialer
Ahnlab       :Win-Trojan/Downloader.48640.AI
Sophos      :Mal/EncPk-

Indication of Infection

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Methods of Infection

Once the server component is installed on the victim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component

View Virus Characteristics

Virus Characteristics

System Changes

It enables backdoor functionalities by connecting to a remote site and performing actions as programmed by a remote attacker.

The following folders have been added to the system:

%SystemDrive%\DATA
%SystemDrive%\DATA\SYSTEM

The following files have been added to the system:

%SystemDrive%\DATA\SYSTEM\Desktop.ini
%SystemDrive%\DATA\SYSTEM\Xp.exe

When executing the Xp.exe it creates a copy of itself in the system.

It uses explorer.exe to perform malicious activities.

The following registry elements have been added

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74KC2A323342}
"StubPath" ="%SystemDrive%\DATA\SYSTEM\Xp.exe"

The above mentioned registry entry allows its copy to automatically run every time when windows starts.

These defaults for typical path variables. (Although they may differ, these are common examples)
%SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers)

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations