Les informations contenues dans cette rubrique de notre site web sont constamment mises à jour. Afin de vous garantir un contenu le plus actualisé possible, elles sont uniquement diffusées en anglais.

Virus Profile: BackDoor-EHD

Threat Search
Imprimer
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 31/10/2009
Date Added: 31/10/2009
Origin: N/A
Length: N/A
Type: -
Subtype: -
DAT Required: 5789
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Presence of the files mentioned above.

Unexplained activity on the victim's machine indicative of someone having remote access via the client component.

Methods of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

   

Virus Characteristics

Upon execution this malware drops itself into the WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32) and also drops a dll, clipsvc.dll or snmap.dll

The Dll injects itself into Iexplore.exe

It then creates the following Registry Keys:
   

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc\Enum

 

The following registry values are set for the previously created keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "Description"
   Data: Enables ClipSvc Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "DisplayName"
    Data: ClipSvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "ImagePath"
    Data: [Value] 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "ErrorControl"
     Data: [Value] 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "Start"
     Data: [Value]  

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "Type"
     Data: [Value]  

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSvc "ObjectName"
     Data: LocalSystem  

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSVC\0000\Control "NewlyCreated"
     Data: [Value]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSVC\0000\Control "ActiveService"
     Data: ClipSvc
 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSvc\Security "Security"
     Data: [Value] 

   
   
Contact may be made with the following domains :
   family-monitoring.com
   supersoft365.com

(During the analysis, the above domains were down)

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

   

Un ordinateur infecté ? Obtenez l'aide d'un expert !

McAfee
Service de suppression des virus

Contactez l'un de nos spécialistes en sécurité par téléphone. Regardez votre PC pendant que nous résolvons le problème à distance.

$89.95 (USD)

Publicité