Subscribe
Every 50 milliseconds the backdoor creates a thread in which it will connect to the following server (if there is a network accessible):
www.starman.ee www.if.ee
If in the course of 256 connection either of the servers returns an error saying that the resource is temporarily not available, the connection will be suspended for half a second.
The backdoor spreads via the Microsoft Windows DCOM RPC vulnerability. A full
description of the vulnerability can be found in Microsoft Security Bulletin
MS03-026
Microsoft Security Bulletin MS03-026 (
The backdoor chooses IP addresses to attack, and if a machine under attack contains the DCOM RPC vulnerability, the backdoor will launch its code on the vulnerable machine.
If none of the computers under attack contain this vulnerability, the backdoor will try to connect using the following user names:
Administrator Admin
and the following passwords:
Admin root asdfgh password 00 000 0000 00000 000000 0000000 00000000 1 12 123 1234 12345 123456 1234567 12345678 123456789 secret secure security setup shadow shit sql super sys system abc123 access adm alpha anon anonymous backdoor backup beta bin coffee computer crew database debug default demo X go guest hello install internet login mail manager money monitor network new newpass nick nobody nopass oracle pass passwd server poiuytre private public qwerty random real remote ruler telnet temp test test1 test2 visitor windows
If the backdoor manages to establish a connection, it will copy its executable file to the Windows system directory on the victim machine.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameter from the system registry (see
What
is a system registry and how do I use it for details on how to edit the registry).
[HKCR\CLSID\{%GUID%}] "(default)" = "This Trojan program is a Windows PE EXE file. It is a Windows PE EXE file. It is 50 176 bytes in size. It is written in Assembler.
InstallationOnce launched, the backdoor uses the name and path to its original file to generate a GUID, which will then be used to registry the program in the system:
[HKCR\CLSID\{%GUID%}] "(default)" = "<random symbols> " [HKCR\CLSID\{%GUID%}\LocalServer32] "(default)" = "<path to backdoor file>"When launching, the backdoor creates a copy of its body called "irdvxc.exe" in the Windows system directory:
%System%\irdvxc.exeIt then launches this copy every 2 seconds with the following command line parameters:
%System%\irdvxc.exe /installservice %System%\irdvxc.exe /start
The copy of the backdoor creates an entry in the system registry which uses the new path to the malicious file:
[HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}] "(Default)" = "svxqqbkhrbsqsjhq" [HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}\LocalServer32] "(Default)" = "%System%\irdvxc.exe"The backdoor file will be registered using Windows installation manager as a service when the command /installservice is run. This service will be launched automatically when the system is booted.
The service is called "MSDisk". The full name of the service is "Network helper Service" and the description of the service is "Network service for disk management requests".
When the service is registered, the following registry key is created:
[HKLM\System\CurrentControlSet\Services\MSDisk]When /start is run, the registered service will be launched.
The backdoor also creates a unique identifier, “jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg” to flag its presence in the system.
Payload
Hot Articles