Content

BackDoor-CGZ

Type
Trojan
SubType
Remote Access
Discovery Date
03/18/2005
Length
Minimum DAT
4383 (08/04/2004)
Updated DAT
4769 (05/24/2006)
Minimum Engine
5.1.00
Description Added
08/04/2004
Description Modified
07/07/2006 4:09 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed this Backdoor installs the following files in the system:

  • %WINDIR%\wints.ini ( 49 bytes ) 
  • %WINDIR%\timed.exe ( 20044 bytes ) 
  • %WINDIR%\timer.exe 
  • c:\documents and settings\%USER%\local settings\temp\dcat.log

This trojan also configures itself to load at system startup.

Registry keys are also created as the following:

  • hkey_local_machine\software\cat\myid="VMG-CLIENT/XP/WqQvXmoiFg7q"
  • hkey_local_machine\software\cat
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \timer="%WINDIR%\timer.exe /i"

Symptoms

Presence of the files and registry keys mentioned.

The applications creates the following network connection(s):

  • timed.exe server:www.google.com port:80 
  • timer.exe server:www.google.com port:80

The executable filename can vary.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This trojan also queries DNS servers in the Internet to check if the infected machine is connected to the Internet.

Aliases

  • Backdoor.Webdor (Dr Web)
  • Trojan.Natspammer (Symantec)

Characteristics

Characteristics -

When executed this Backdoor installs the following files in the system:

  • %WINDIR%\wints.ini ( 49 bytes ) 
  • %WINDIR%\timed.exe ( 20044 bytes ) 
  • %WINDIR%\timer.exe 
  • c:\documents and settings\%USER%\local settings\temp\dcat.log

This trojan also configures itself to load at system startup.

Registry keys are also created as the following:

  • hkey_local_machine\software\cat\myid="VMG-CLIENT/XP/WqQvXmoiFg7q"
  • hkey_local_machine\software\cat
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \timer="%WINDIR%\timer.exe /i"

Symptoms

Symptoms -

Presence of the files and registry keys mentioned.

The applications creates the following network connection(s):

  • timed.exe server:www.google.com port:80 
  • timer.exe server:www.google.com port:80

The executable filename can vary.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A