Content
Backdoor-DZG.dr
- Type
- Trojan
- SubType
- Dropper Generic
- Discovery Date
- 07/01/2009
- Length
- Varies
- Minimum DAT
- 5664 (07/02/2009)
- Updated DAT
- 5665 (07/03/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 07/01/2009
- Description Modified
- 07/01/2009 8:50 PM (PT)
Tab Navigation
Characteristics
On execution, this trojan searches the user machine for the following software installations capable of FTP support:
- FTP Voyager(RhinoSoft.com)
- AceFTP 3 (Visicom Media)
- Auto FTP Manager 4
- Whisper Technology\FTP Surfer
- FTP Desktop
- WS_FTP 12(Ipswitch)
- LeechFTP
- FlashFXP
- GoFTP
- FileZilla FTP Client
- CoreFTP
- FTP Commander
- CuteFTP
- SmartFTP Client
- WinSCP
- Total Commander
- FTP Explorer
- Mozilla Firefox
- Internet Explorer
- Opera
- K-Meleon
- FineBrowser
- TurboFTP
- NetSurf
- SlimBrowser
- Avant Browser
- SphereXPlorer
- Navigator 9
- SEAGULL
- Acoo Browser
- Safari
- Fast Browser
- EmFTP
- FTP Now
- Far
When successful in identifying an installation, it drops a file in the installation folder of the software with either of the following names:
- ntshrui.dll
- rasadhlp.dll
The two DLLs are identified as Backdoor-DZG.dll. The file names have been selected intentionally based off legit Microsoft DLL files found in the %System% folder. The above mentioned software applications, utilize the original Microsoft files during their operation. By placing these files in the installation folder of these applications with MS file names, the malware forces such application to use illegitimate Dll files.
Symptoms
Prescence of the above mentioned DLL files in the software installation paths of the listed applications
Method of Infection
This trojan may have been downloaded and executed on a user machine as a result of a drive-by web exploit
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This detection is for the dropper component of Backdoor-DZG.dll
Characteristics
Characteristics -
On execution, this trojan searches the user machine for the following software installations capable of FTP support:
- FTP Voyager(RhinoSoft.com)
- AceFTP 3 (Visicom Media)
- Auto FTP Manager 4
- Whisper Technology\FTP Surfer
- FTP Desktop
- WS_FTP 12(Ipswitch)
- LeechFTP
- FlashFXP
- GoFTP
- FileZilla FTP Client
- CoreFTP
- FTP Commander
- CuteFTP
- SmartFTP Client
- WinSCP
- Total Commander
- FTP Explorer
- Mozilla Firefox
- Internet Explorer
- Opera
- K-Meleon
- FineBrowser
- TurboFTP
- NetSurf
- SlimBrowser
- Avant Browser
- SphereXPlorer
- Navigator 9
- SEAGULL
- Acoo Browser
- Safari
- Fast Browser
- EmFTP
- FTP Now
- Far
When successful in identifying an installation, it drops a file in the installation folder of the software with either of the following names:
- ntshrui.dll
- rasadhlp.dll
The two DLLs are identified as Backdoor-DZG.dll. The file names have been selected intentionally based off legit Microsoft DLL files found in the %System% folder. The above mentioned software applications, utilize the original Microsoft files during their operation. By placing these files in the installation folder of these applications with MS file names, the malware forces such application to use illegitimate Dll files.
Symptoms
Symptoms -
Prescence of the above mentioned DLL files in the software installation paths of the listed applications
Method of Infection
Method of Infection -
This trojan may have been downloaded and executed on a user machine as a result of a drive-by web exploit
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A