__________________________________________
Trojan Name Risk Assessment
W32/Blaster.worm.k!backdoor Corporate User : Low
Home User : Low
Trojan Information
Discovery Date: 04/21/2004
Origin: Unknown
Length: 28,160 bytes
Type: Trojan
SubType: Remote Access
Minimum DAT: 4352 (04/21/2004)
Updated DAT: 4352 (04/21/2004)
Minimum Engine: 4.2.40
Description Added: 04/21/2004
Description Modified: 04/21/2004 4:00 AM (PT)
Trojan Characteristics:
This detection is for a remote access trojan that is dropped and executed by W32/Blaster.worm.k .
Installation
Upon execution, the trojan installs itself into the %SYSDIR% directory as svchosthlp.exe .
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
For example:
C:\WINNT\system32\svchosthlp.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSUpdate" = %SYSDIR%\svchosthlp.exe
The following registry keys are also added:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control "Sysuser"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"
The user's startpage of the browser is changed to the following URL by modifying the registry at the following place:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" =
Remote Access Functionality
Once running on the victim machine, a random port is opened on the infected system. The port numbers observed during testing were: 27507, 24367, 25519.
Mapped drives on the infected system were removed as well
Top of Page
Symptoms
Unusual ports are opened
Existence of the files/Registry keys detailed above
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc
__________________________________________
Al respecto estamos desarrollando la nueva versión 4.2 del ELIRPCA que controlorá tanto el gusano, como el backdoor como la falta de dicho parche
Sobre el gusano que crea este troyano, Blaster o LOVSAN.K / EXPLOIT DCOM RPC, cabe señalar:
[quote]
-- Update 21 April 2004 --
A new variant was discovered and was proactively detected as Exploit-DcomRpc with the 4289 DAT files when scanning compressed executables (default setting)
eschlp.exe (66,048 bytes)
Detection for this variant as W32/Blaster.worm.k had been added to 4352 DATs and above. It propagates in the same way as previous variants. A backdoor dropped by this variant was detected as W32/Blaster.worm!backdoor using the 4352 DATs and above.[/quote]
saludos
ms, 21-04-2004
msc hotline sat Virus Research Engineer