Content

BackDoor-CRX

Type
Trojan
SubType
Remote Access
Discovery Date
05/13/2005
Length
Varies
Minimum DAT
4491 (05/13/2005)
Updated DAT
5274 (04/15/2008)
Minimum Engine
5.1.00
Description Added
05/13/2005
Description Modified
04/15/2008 1:43 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.com/businesscenter/article/144548/criminals_hack_ceos_with_fake_subpoenas.html


--

This trojan pretends to be an Acrobat install program , with the file name "Acrobat.exe" and the fake icon .


When the trojan is executed on the victim machine, the fake error messagebox is displayed


The following URL is accessed by the backdoor:

It drops the following dll file and injects into Explorer.exe.

  • %Sysdir%\acrobat.dll
    (Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following registry keys are created or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32\: "C:\WINDOWS\system32\acrobat.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32\ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\: "Adobe Acrobat ActiveX Control"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon\: "%SystemRoot%\system32\url.dll,0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\: "C:\Program Files\Internet Explorer\iexplore.exe,1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\NoExplorer: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat ActiveX Control: "Rundll32 acrobat.dll,AInit"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\1: "124.217.{removed}.118"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\2: 0x00000050
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\3: "/NNN/parse.php"


Symptoms

Method of Infection

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update April 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.com/businesscenter/article/144548/criminals_hack_ceos_with_fake_subpoenas.html


--

 

BackDoor-CRX trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine

Aliases

  • Trojan.Dropper (Symantec)
  • TrojanDownloader:Win32/DlRhifrem.gen!A (Microsoft)

Characteristics

Characteristics -

-- Update April 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.com/businesscenter/article/144548/criminals_hack_ceos_with_fake_subpoenas.html


--

This trojan pretends to be an Acrobat install program , with the file name "Acrobat.exe" and the fake icon .


When the trojan is executed on the victim machine, the fake error messagebox is displayed


The following URL is accessed by the backdoor:

It drops the following dll file and injects into Explorer.exe.

  • %Sysdir%\acrobat.dll
    (Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following registry keys are created or modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32\: "C:\WINDOWS\system32\acrobat.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32\ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\: "Adobe Acrobat ActiveX Control"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon\: "%SystemRoot%\system32\url.dll,0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\: "C:\Program Files\Internet Explorer\iexplore.exe,1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\NoExplorer: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat ActiveX Control: "Rundll32 acrobat.dll,AInit"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\1: "124.217.{removed}.118"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\2: 0x00000050
  • HKEY_LOCAL_MACHINE\SOFTWARE\Acrobat\3: "/NNN/parse.php"


Symptoms

Symptoms -

Method of Infection

Method of Infection -

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A