Content

Generic BackDoor.u

Type
Trojan
SubType
Win32
Discovery Date
04/05/2005
Length
varies
Minimum DAT
4461 (04/04/2005)
Updated DAT
6057 (07/28/2010)
Minimum Engine
5.1.00
Description Added
04/04/2005
Description Modified
03/08/2010 10:41 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

Updated March 5th 2010

A new detection was added to this generic family. A dll by the name of Arucer.dll was found which is capable of allowing remote access to a system. This dll file is usually found located in the %System% folder and has an associated Run Key which allows it to restart on reboot.

  • rundll32 %System%\Arucer.dll,Arucer

The backdoor opens a port 7777 where it accepts connections. For any connection attempt, the first four bytes are obtained which are XOR'd with a 0xE5. Following the first 4 bytes, the backdoor accepts upto 0x800 bytes of data. This data is XOR'd with the same Key and the decrypted data is then interpreted as commands. There is a list of 9 commands. Some of the commands are as follows:

  • {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
  • {F6C43E1A-1551-4000-A483-C361969AEC41}
  • {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}

During the time of testing though no malicious activity was observed, such a backdoor may allow attackers open access to machines

===============================================================================

There are several variants of this trojan. This description is for a specific sample.


On execution, the trojan copies itself in %SystemDir%and drops a dll file in %SystemDir% as {random_name}.dIl. random_name means that the name of this dll file, whose extension is dIl, may be different on different instances of execution of this trojan.

It then registers the dll as a COM object by creating registry entries under

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)


It also drops and loads another dll from the following location :

    • X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)


To activate itself on reboot, the trojan may add itself under the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random.  Some of the commands it can accept may allow the remote attacker to:

    • Transfer files
    • Load/Unload dll files
    • Query/Modify system registry
    • Launch DOS attack on a specified target
    • Shutdown/Restart the compromised machine


Code suggests that the malware accepts the following list of commands:

    • RUNDLL
    • RESTART
    • RESPAWN
    • UNINSTALL
    • MULTICAST
    • RESOLVE
    • STATS
    • SETCOOKIE
    • DELCOOKIES
    • LISTCOOKIES
    • EXPORT
    • ADDTO
    • DELFROM
    • SETSTR
    • PERFRM
    • UNFREEZE
    • RMOLD
    • UNIFORG
    • SETWND
    • LSTWND
    • SHUTDOWN
    • DISKFLOOD
    • DISKUNFLOOD

 

Symptoms

  • Presence of files and registries as mentioned.
  • Unexpected network traffic.
  • More information on symptoms of Generic BackDoor is available here.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://news.techworld.com/security/3214563/energizer-bunny-infects-pcs-with-backdoor-malware/

--

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.


 

Characteristics

Characteristics -

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

Updated March 5th 2010

A new detection was added to this generic family. A dll by the name of Arucer.dll was found which is capable of allowing remote access to a system. This dll file is usually found located in the %System% folder and has an associated Run Key which allows it to restart on reboot.

  • rundll32 %System%\Arucer.dll,Arucer

The backdoor opens a port 7777 where it accepts connections. For any connection attempt, the first four bytes are obtained which are XOR'd with a 0xE5. Following the first 4 bytes, the backdoor accepts upto 0x800 bytes of data. This data is XOR'd with the same Key and the decrypted data is then interpreted as commands. There is a list of 9 commands. Some of the commands are as follows:

  • {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
  • {F6C43E1A-1551-4000-A483-C361969AEC41}
  • {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}

During the time of testing though no malicious activity was observed, such a backdoor may allow attackers open access to machines

===============================================================================

There are several variants of this trojan. This description is for a specific sample.


On execution, the trojan copies itself in %SystemDir%and drops a dll file in %SystemDir% as {random_name}.dIl. random_name means that the name of this dll file, whose extension is dIl, may be different on different instances of execution of this trojan.

It then registers the dll as a COM object by creating registry entries under

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<DLL_CLSID>}\

(where <DLL_CLSID>is the CLSID that the trojan associates with the dropped dll which may be different each time the trojan executes. An example of <DLL_CLSID>is F3972BD9-2B47-3F3D-A42C-B2B13A2C187D.)


It also drops and loads another dll from the following location :

    • X:\Documents and Settings\%User%\Local Settings\Temp\{random_name}.dll

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID, random_name means that the name of the dll may be different on different instances of execution of this trojan)


To activate itself on reboot, the trojan may add itself under the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


It then opens a backdoor and listens for commands. The port on which the backdoor is opened may be random.  Some of the commands it can accept may allow the remote attacker to:

    • Transfer files
    • Load/Unload dll files
    • Query/Modify system registry
    • Launch DOS attack on a specified target
    • Shutdown/Restart the compromised machine


Code suggests that the malware accepts the following list of commands:

    • RUNDLL
    • RESTART
    • RESPAWN
    • UNINSTALL
    • MULTICAST
    • RESOLVE
    • STATS
    • SETCOOKIE
    • DELCOOKIES
    • LISTCOOKIES
    • EXPORT
    • ADDTO
    • DELFROM
    • SETSTR
    • PERFRM
    • UNFREEZE
    • RMOLD
    • UNIFORG
    • SETWND
    • LSTWND
    • SHUTDOWN
    • DISKFLOOD
    • DISKUNFLOOD

 

Symptoms

Symptoms -

  • Presence of files and registries as mentioned.
  • Unexpected network traffic.
  • More information on symptoms of Generic BackDoor is available here.

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A