Content

BackDoor-AIK

Type
Trojan
SubType
Remote Access
Discovery Date
07/12/2002
Length
23,552 bytes
Minimum DAT
4213 (07/17/2002)
Updated DAT
4213 (07/17/2002)
Minimum Engine
5.1.00
Description Added
08/15/2002
Description Modified
08/16/2002 11:49 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a remote access Trojan.

Another Trojan, Downloader-AR, downloads this trojan from a website and installs it to the local host. If Backdoor-AIK is run by itself, it does not install; it does not copy itself to other locations on the local machine, and it does not modify the registry to load at Windows startup.

Symptoms

  • Open TCP connection on port 1160
  • Presence of X32AFX.EXE in %Windir%\system folder

    • Method of Infection

    This Trojan is commonly installed by another program such as an installer or hacked installation software. On a compromised system, this Trojan may reside in the %Windir%\system folder, and it is expected that this Trojan is loading at Windows startup from a "Run" key.

    This remote access Trojan may be installed to the %Windir%\system folder as "x32afx.exe".

    This Trojan will listen on TCP port 1160 and attempt to connect to a server "relay.volga.ru:6667". This information is visible using NETSTAT.

    This Trojan will also be associated with several registry key additions, made by the installer program:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\System32\

      authstr = "deadcandance"
      channel = "#fuzz"
      hostname = ""
      idle = "60000"
      key = "mustdieinside"
      master = "StillAlive"
      nick = "X12050251fffbeb13"
      pass = "fffbeb1312050251"
      port = "57163"
      remote = "195.144.192.123"
      servername = "irc.volga.ru"
      userinfo = "none"
      username = "none"

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Aliases

    • Backdoor.IRC.BlackRat.gen (AVP)
    • W32.IRCBot.Gen (NAV)

    Characteristics

    Characteristics -

    This is a remote access Trojan.

    Another Trojan, Downloader-AR, downloads this trojan from a website and installs it to the local host. If Backdoor-AIK is run by itself, it does not install; it does not copy itself to other locations on the local machine, and it does not modify the registry to load at Windows startup.

    Symptoms

    Symptoms -

  • Open TCP connection on port 1160
  • Presence of X32AFX.EXE in %Windir%\system folder

    • Method of Infection

    Method of Infection -

    This Trojan is commonly installed by another program such as an installer or hacked installation software. On a compromised system, this Trojan may reside in the %Windir%\system folder, and it is expected that this Trojan is loading at Windows startup from a "Run" key.

    This remote access Trojan may be installed to the %Windir%\system folder as "x32afx.exe".

    This Trojan will listen on TCP port 1160 and attempt to connect to a server "relay.volga.ru:6667". This information is visible using NETSTAT.

    This Trojan will also be associated with several registry key additions, made by the installer program:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\System32\

      authstr = "deadcandance"
      channel = "#fuzz"
      hostname = ""
      idle = "60000"
      key = "mustdieinside"
      master = "StillAlive"
      nick = "X12050251fffbeb13"
      pass = "fffbeb1312050251"
      port = "57163"
      remote = "195.144.192.123"
      servername = "irc.volga.ru"
      userinfo = "none"
      username = "none"

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A