Content

BackDoor-DKI.dldr

Type
Trojan
SubType
Downloader
Discovery Date
12/18/2006
Length
Varies
Minimum DAT
4921 (12/18/2006)
Updated DAT
5766 (10/09/2009)
Minimum Engine
5.1.00
Description Added
12/18/2006
Description Modified
07/29/2009 1:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update: July 29, 2009 --

This variant of the Trojan on execution copies itself to the %system% folder and deletes itself from the initial location. It also creates a log file with the same name in %system% folder to save the keystrokes of the infected computer.

Following files are created on execution:

  • %system%\arteagent.exe
  • %system%\arteagent (Keystroke log file)

 

Following registry entry is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ {3DEDF8F4-59AB-5FD4-38F2-6D83EBAF8314}
    “StubPath” = “%system%\arteagent.exe”

    (Where %system% is the default system directory for example C:\Windows\System, C:\windows\System32 etc)

    This Trojan may steal the information from the infected machine by sending the saved keystroke log file (%system%\arteagent) to a remote host.

    The Trojan establishes connection to the following host after resolving the DNS query

    http://worldbank.[blocked].com

     

    -- Update: April 6, 2007 ---

    Upon execution, the trojan injects the code into the process of Internet Explorer. The code attempts to download BackDoor-DKI trojan from the following URL.

    • http ://www.maritimesquare.com/[removed]/kz.exe (Detected with DAT 5003)

Symptoms

  • Presence of the above mentioned files and registry entries.
  • Presence of network activity between the infected machine and the remote host mentioned above.

Method of Infection

-- Update: July 29, 2009 ---

This backdoor Trojan is covertly dropped on opening the malicious PDF file (Exploit-PDF.m) on the vulnerable computers.

The malicious PDF file may be sent through the mail as an attachment.

 

-- Update: April 6, 2007 ---

It is observed to be dropped by Exploit-TaroDrop that exploits a vulnerability in Ichitaro Document Viewer.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update: July 29, 2009 --

BackDoor-DKI.dldr is now embedded on a crafted PDF file which is detected as Exploit-PDF.m. This backdoor Trojan is capable of logging the keystrokes of the compromised system. The information collected from a compromised computer may be sent to the attackers’ server at periodical intervals.

-- Update: April 6, 2007 ---

The most recent variant of Backdoor-DKI.dldr is dropped by Exploit-TaroDrop Trojan, which exploits a zero-day vulnerability in Ichitaro Document Viewer.

The trojan "BackDoor-DKI.dldr" is designed to download "BackDoor-DKI" trojan.

Characteristics

Characteristics -

-- Update: July 29, 2009 --

This variant of the Trojan on execution copies itself to the %system% folder and deletes itself from the initial location. It also creates a log file with the same name in %system% folder to save the keystrokes of the infected computer.

Following files are created on execution:

  • %system%\arteagent.exe
  • %system%\arteagent (Keystroke log file)

 

Following registry entry is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ {3DEDF8F4-59AB-5FD4-38F2-6D83EBAF8314}
    “StubPath” = “%system%\arteagent.exe”

    (Where %system% is the default system directory for example C:\Windows\System, C:\windows\System32 etc)

    This Trojan may steal the information from the infected machine by sending the saved keystroke log file (%system%\arteagent) to a remote host.

    The Trojan establishes connection to the following host after resolving the DNS query

    http://worldbank.[blocked].com

     

    -- Update: April 6, 2007 ---

    Upon execution, the trojan injects the code into the process of Internet Explorer. The code attempts to download BackDoor-DKI trojan from the following URL.

    • http ://www.maritimesquare.com/[removed]/kz.exe (Detected with DAT 5003)

Symptoms

Symptoms -

  • Presence of the above mentioned files and registry entries.
  • Presence of network activity between the infected machine and the remote host mentioned above.

Method of Infection

Method of Infection -

-- Update: July 29, 2009 ---

This backdoor Trojan is covertly dropped on opening the malicious PDF file (Exploit-PDF.m) on the vulnerable computers.

The malicious PDF file may be sent through the mail as an attachment.

 

-- Update: April 6, 2007 ---

It is observed to be dropped by Exploit-TaroDrop that exploits a vulnerability in Ichitaro Document Viewer.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A