11808 (25 KB when unpacked)
- the file sysdeb32.exe in the Windows folder;
- the registry key HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\SystemDebug pointing to that file;
- file temp35.txt in C:\ and file svc.sav in the Windows folder.
Remove the registry entry specified in the Symptomps section; restart the computer and delete the files specified there.
Let BitDefender delete infected files.
Bogdan Dragu BitDefender Virus Researcher
This backdoor is compiled with LCC and packed with UPX; it sends information with a remote site and allows that site to specify the location of a file to download and execute; it also allows connections to the computer on port 5555. It does not self replicate (it is not a virus).
When run, it will copy itself as sysdeb32.exe in the Windows folder and create the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemDebug so that the backdoor is run at Windows start-up. It will continue execution from that location.
It calls the RegisterServiceProcess function to hide itself from the task list on Windows 9x systems.
It prepares information about the dial-up connections, email accounts, Windows version, user etc. in c:\temp35.txt; it will store some hashes for this information in svc.sav in the Windows folder.
A (hidden) window is created and a timer message is sent to it every 5 seconds; upon receiving it, the backdoor checks to see if the computer is connected to the Internet (by trying to resolve "www.kernel.org" to an IP); if it is, the backdoor will communicate with finance.red-host.com to:
- get the URL of a file to download and execute from finance.red-host.com/events.php (the following data is sent: an unique ID based on the process ID and the tick count, the IP, the connection speed - the time needed to connect to www.kernel.org and exchange some data with this site - and the number of times the timer message has been received);
- post the information in c:\temp35.txt to finance.red-host.com/showinfo.php (if successful, the backdoor will wait for 3 minutes before looping again).
A thread is used to listen to incoming connections on TCP port 5555; for each client that connects, an additional thread is used to exchange information with it; based on this information, the backdoor may connect to the client's specified IP and port.