Virus Profile: BackDoor-AOT

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/7/2002
Date Added: 11/8/2002
Origin: Unknown
Length: Varies
279kB - 284kB
Type: Trojan
Subtype: Password
DAT Required: 4233
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Presence of the file MPTASK.EXE in the Windows System directory with an icon typically associated with the Microsoft Synchronization Manager:

Methods of Infection

This trojan connects to a remote website to retrieve "further instructions".

Aliases

BackDoor.Lala, Mine.279040, Zasil.279040
   

Virus Characteristics

-- Update 10th Jan 2003 --

A new variant of this trojan (file length: 283,648 bytes, tElock packed) is downloaded by the W32/Sobig@MM worm. Detection of this variant requires the 4242 DATs.

--

This trojan appears to be related to Downloader-BN. However, at a specific date/time this trojan opens port 1180 on the victim machine enabling the hacker to remotely access the machine.

The trojan contains password stealing keylogger code. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the following information:

  • IP address
  • Drive letters and type
  • Windows version
  • Machine name
  • Username
The trojan queries several registry keys to report on the installation status of several programs:
  • WebMonkey
  • PGP
  • BestCrypt
  • WinMX
  • Return to Castle Wolfenstein
  • Soldier of Fortune II
The content of the web page accessed is saved to the file NBVLK32.NDR in the WINDOWS SYSTEM (%SysDir%) directory. A copy of the trojan is saved to the %SysDir% directory as MPTASK.EXE and a registry run key is created:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "MPtask Services" = C:\WINDOWS\SYSTEM\mptask.exe
A keylogger dll is dropped in the %SysDir% directory as well: NBRBK32.DLL. The trojan attempts to steal cookies associated with PayPal, iFriend, E-Bullion, EZCardin, Chase, Evocash, Gold, Account Access, Nettler, WebMoney, eBay, and banks. It monitors typed keystrokes.

The trojan periodically connects to the author's site to retrieve commands and the date and time. At a specified date/time, the trojan opens TCP port 1180 and sends notification the geocities.com user page, including the IP address and password needed to access the infected system.

The trojan is dropped by a file that was posted to a newsgroup. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.

   
All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions


Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95