Backdoor.Assasin.C

Discussion in 'malware problems & news' started by Randy_Bell, Nov 25, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - Backdoor.Assasin.C

    Backdoor.Assasin.C is a Backdoor Trojan that gives an attacker unauthorized access to a compromised computer. By default it opens port 6,595 on the infected computer. Backdoor.Assasin.C is packed using UPX v1.20.

    Also Known As: Backdoor.Assasin.11 [KAV], Backdoor-AGS [McAfee]
    Type: Trojan Horse
    Infection Length: 92,160 bytes
    Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

    technical details

    Backdoor.Assasin.C is a variant of Backdoor.Assasin. When Backdoor.Assasin.C runs, it performs the following actions:

    It displays this message:

    Invalid Jpeg Image

    It copies itself as %windir%\Ms Spool32.

    NOTE: %windir% is a variable. The Trojan locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

    It then creates the %windir%\Ms spool32.dat file. This file contains the file names of executable files that processes the Trojan attempts to terminate.

    The Trojan creates the value

    Ms Spool32 %windir%\ms spool32.exe

    in the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the Trojan starts when you start or restart Windows.

    Also, it creates the following registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK
    • HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb

    It attempts to disable some antivirus and firewall programs by terminating the active processes.

    The Trojan notifies the client side using ICQ pager and/or email.

    Once installed, Backdoor.Assasin.C waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

    • Deliver system and network information to the hacker
    • Manage the installation of the backdoor Trojan
    • Upload and execute files

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    • 1. Update the virus definitions.
      2. Do one of the following:
      • Windows 95/98/Millenium: Restart the computer in Safe mode.
      • Windows NT/2000/XP: End the Trojan process.
      3. Run a full system scan, and delete all files that are detected as Backdoor.Assasin.C.
      4. Reverse the changes that the Trojan made to the registry.

    To reverse the changes that the Trojan made to the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.


    • 1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the key

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      4. In the right pane, delete the value

      Ms Spool32 %windir%\ms spool32.exe

      5. Navigate to and delete these keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK
      HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb

      6. Exit the Registry Editor.

    NOTE: You may need to reinstall your antivirus and/or firewall software.
     
  2. moon

    moon Guest

    Wonder if I don't have the keys AUFOBK? And I can't seem to get rid of the exe. Is there any other way to do so?
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Download, install, update and start TDS-3

    http://tds.diamondcs.com.au/html/download.htm

    Once you have installed, download the latest database from the bottom of that page, and then start it up - if not detected on disk, memory space scanning should detect the trojan and you can just right click, delete.

    Email me if you have any problems or questions - gavin@diamondcs.com.au
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.