resumen de McAfee sobre actualizacion descripcion backdoor AXJ:
__________________________________________
Trojan Name Risk Assessment
BackDoor-AXJ Corporate User : Low-Profiled
Home User : Low-Profiled
Trojan Information
Discovery Date: 07/16/2003
Origin: Unknown
Length: varies
Type: Trojan
SubType: Remote Access
Minimum DAT: 4277 (07/16/2003)
Updated DAT: 4370 (06/25/2004)
Minimum Engine: 4.1.60
Description Added: 07/16/2003
Description Modified: 06/25/2004 6:15 AM (PT)
Description Menu
Trojan Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Trojan Characteristics:
-- Update June 25, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention, for example:
or
The media attention concerns recent IIS website hacks which have been performed in order to install this backdoor trojan on victim machines. For further details concerning vulnerable IIS servers and IE clients, see the following link:
--------------------------------------------------------------------------------
The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).
EXTRA.DAT
SUPER EXTRA.DAT
--------------------------------------------------------------------------------
-- Update June 24, 2004 --
Several websites were recently hacked to serve exploit script code that results in a new polymorphic variant of BackDoor-AXJ being installed. Detection is included in the Daily DAT files as BackDoor-AXJ.gen and will also be included in the 4370 DAT release. Detection is also provided in the EXTRA.DAT packages linked above.
Earlier variants of this remote access trojan were likely to be downloaded via a downloader trojan (detected as Downloader-DI ). Multiple versions of the downloader are known to have been spammed to users.
Multiple versions of this remote access trojan are known to exist, users are recommended to use the Daily DATs for optimal detection.
Once running on the victim machine, the trojan serves multiple functions:
acts as a web proxy
can check remote server for updates
cached passwords on the victim machine are logged (for sending to hacker)
When it is run, the remote access trojan installs itself into %SysDir% (eg. C:\WINNT\SYSTEM32) with a random 8 character filename. A DLL is also dropped into this directory, again with a seemingly random 8 character filename. For example:
C:\WINNT\SYSTEM32\OQLCINEI.EXE (39,140 bytes - copy of trojan)
C:\WINNT\SYSTEM32\BAGMBBPJ.DLL (5,633 bytes - dropped DLL)
Two ports are opened on the victim machine. Exact port numbers used vary between variants. One is used for the web proxy, the other for communication. Ports used in samples seen thus far include:
7714
8546
12334
12324
Notification is sent to the hacker via HTTP, sending data to a remote PHP script. This data includes IP of machine, plus port numbers opened. It also includes as "identification string" - presumably used to validate communication to trojan.
System startup is hooked (via the dropped DLL) by the following Registry modifications.
Once running, other data files are written to the victim machine (%SysDir%). These files have filename NTXGL16 with DAT, SYS and VxD extensions, for example:
C:\WINNT\SYSTEM32\NTXGL16.DAT - used for storing cached passwords retrieved from the victim machine, prior to sending to hacker.
C:\WINNT\SYSTEM32\NTXGL16.SYS
C:\WINNT\SYSTEM32\NTXGL16.VXD - contains contents of a remote data file which is retrieved (via HTTP) by the trojan.
Installation
The following values:
"(Default)" = (path to dropped DLL, eg: C:\WINNT\System32\Bbdgff32.dll)
"ThreadingModel" = Apartment
To the following key:
HKEY_CLASSES_ROOT\CLSID\
{79FA9088-19CE-715D-D85A-216290C5B738}\InProcServer32
and this value:
"Web Event Logger" = {79FA9088-19CE-715D-D85A-216290C5B738}
To the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
The DLL is then executes the (randomly named) EXE.
Other Registry modifications are also made:
The values:
"FormSuggest Passwords" = yes AutoSuggest
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON
#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL
%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance
pstorec.dll k
"FormSuggest PW Ask" = yes AutoSuggest SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON
#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL
%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance
pstorec.dll k
"Use FormSuggest" = yes AutoSuggest SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete BUTTON
#32770 200 %s: %s %s %s %s WNetEnumCachedPasswords MPR.DLL
%s:%s %s [%s] '%s' [%s] %s : :// Internet Explorer PStoreCreateInstance
pstorec.dll k
Are added to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Top of Page
Symptoms
existence of Registry keys files detailed above
Ports 7714 and 8546 open on victim machine
Top of Page
Method Of Infection
Earlier variants of this remote access trojan are likely to be downloaded via Downloader-DI which is known to have been spammed to users.
-- Update June 25th 2004 --
A new polymorphic variant of this is likely to be installed when the victim browses a specifically-hacked IIS website (see above).
Top of Page
Removal Instructions
All Users :
AVERT considers this to be a low risk threat.
Detection is already included in the Daily DAT files (beta) .
The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).
EXTRA.DAT
SUPER EXTRA.DAT
This EXTRA.DAT package contains the following new detections:
BackDoor-AXJ.gen
BackDoor-AXJ.dll
And enhancements to the following detections (for detection of the script components):
VBS/Psyme
Exploit-MhtRedir
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
BackDoor-AXJ.gen (polymorphic variant)
Backdoor.Berbew (NAV)
Webber
__________________________________________
Se recomienda a todos los usuarios de McAfee, actualizar a los actuales DAT 4370
De paso, ya que a 30 de Junio pasa a ser obsoleto el motor 4.2.60 en todos los productos e McAfee, quienes tuvieran cualquier producto con motor anterior, se le recomienda pasar añ actual 4.3.20:
saludos
ms, 28-06-2004