Virus Profile: BackDoor-UK

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/15/2001
Date Added: 1/18/2002
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Remote Access
DAT Required: 4150
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Port 6667 being left opened

Methods of Infection

Executing this trojan installs it to your system, which is then vulnerable to an attack. The infected machine "reports" in to an Internet Relay Chat server, and therefore can accept remote commands from an attacker. They can perform file operations on the remote system and initiate a DDoS attack from it as well.

Aliases

Backdoor.DSNX (AVP), Troj/Dsnx (Sophos), TROJ_DSNX (Trend)
   

Virus Characteristics

This BackDoor trojan is configurable, so the specifics of each sample can vary. When run, the trojan copies itself to the WINDOWS SYSTEM directory as WIN(random characters).EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\WinDSNX

The originally executed file is then deleted. The trojan connects to a configured IRC server, port, and channel. This allows an attacker to send commands to the client via IRC. These commands include
  • Keylogging
  • IRC DCC Sending
  • File deletion
  • File execution
  • Port Scanning
  • Flooding
  • Port redirecting
  • Remote file downloading
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations