Docstoc

Backdoor

Document Sample
Backdoor Powered By Docstoc
					Backdoor.IRC.Snyd.B
( Backdoor.Win32.Breplibot.c (Kaspersky), Troj/Stinx-F (Sophos), W32/Brepibot virus (Mcafee) ) Virus Encyclopedia Spreading: LOW Damage: Size: MEDIUM 10,240 bytes (upx packed) Discovered : 2005 Nov 09

FREE REMOVAL TOOL : N/A SYMPTOMS: It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software. See technical description below. Prior to 10 Nov 2005 this malware was detected as BehavesLike:Win32.Sony-DRMHiddenFile proactively TECHNICAL DESCRIPTION: Snyd.B is an improved variant of Snyd.A The author has corrected a few bugs and changed a few strings. Once executed, the virus will do the following: 1. Attempt to see if it is run in a sandbox, if it is, creates mutex "Super" and exits 2. Attempts to copy itself as %SYSTEM%\$sys$xp.exe, and if it doesn't succeed, retries every 1 second 3. Verifies if it is running for the first time, if by checking existence of mutex "$sys$xp.exe". If it is, will do:
- creates the registry keys $sys$cmp" = "$sys$xp.exe"

in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run

- attempts to bypass the windows firewall, by running a batch file that will register the trojan as a trusted program in the firewall list - sends notification of infection to an internet address on port 8080 4. If it isn't run for the first time, will do: - connect to 5 irc servers and joins #cell channel and waits for commands from an attacker the commands may allow the attacker to see uptime, delete, download and execute files,

and see system information (the user name is constructed from computername, username and random characters) REMOVAL INSTRUCTIONS: Please let BitDefender disinfect your files. ANALYZED BY: Patrik Vicol ,virus researcher