|
Description:
This memory-resident backdoor arrives on a system as an attachment in spammed email messages. It may also arrive as a dropped or downloaded file from a remote malicious user.
The following is a sample of the email message it arrives in:
For more email details, please refer to the Technical Details section.
Upon execution, this backdoor drops a copy of itself in the Windows system folder.
Notably, this backdoor uses Digital Rights Management (DRM) Software, which is a form of rootkit technology, in an attempt to hide malware-related files, folders, and processes.
It then bypasses the firewall settings of the affected system by running a certain command. The said command prevents this backdoor from being blocked by the system's firewall. As a result, it is able to perform its routines normally.
This backdoor creates the mutex, $sys$xp.exe, to ensure that only one instance of itself runs in the affected system's memory.
This backdoor randomly connects to any of the following remote Internet Relay Chat (IRC) servers:
- 68.101.14.76
- 24.210.44.45
- 67.171.67.190
- 35.10.203.93
- 152.7.24.186
It opens TCP port 8080 and joins the IRC channel #cell, where it receives and performs commands from a remote malicious user. This routine effectively compromises system security and increases the risk of further attacks on the affected system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Nov. 10, 2005 11:42:42 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
