This is an IRC backdoor that was spammed in an e-mail withe the following body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.
Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one.
We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
And the attachment: Article+Photos.exe
The backdoor uses the Sony DRM copy protection system in order to hide its presence in the system.
When executed it does the following actions:
- It copies itself as:
%sysdir%\ $sys$drv.exe
- It should add the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\$sys$drv with value
%sysdir%\$sys$drv.exe
and
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\$sys$drv with value
%sysdir%\$sys$drv.exe
but due to a bug in code, instead of Software\Microsoft\Windows\CurrentVersion\Run\
the registry keys are
HKLM\kbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\$sys$drv
HKCU\kbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\$sys$drv
- It drops and executes the following files:
%TEMP%\xxx.bat and
%TEMP%\yyy.bat where xxx and yyy are two random numbers.
xxx.bat tryes to disable firewall checking for the $sys$drv.exe
yyy.bat waits for the trojan to end and deletes it.
- It connects to one of 5 hardcoded IRC servers on port 8080.
- It waits for a small list of posible commands on channel #sony
The backdoor contains the following string: „SonyEnabled”
Virus Information
Prevalence:
Low
Name: Backdoor.IRC.Snyd.A
Type:
How it spreads: This is an IRC backdoor that was spammed in an e-mail withe the following body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition o
Affected operating:
Aliases: Backdoor.Win32.Breplibot.b (Kaspersky) Troj/Stinx-E (Sophos) W32/Brepibot virus (McAfee)
Date of surface: Nov 9 2005 12:00AM
LowName: Backdoor.IRC.Snyd.A
Type:
How it spreads: This is an IRC backdoor that was spammed in an e-mail withe the following body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition o
Affected operating:
Aliases: Backdoor.Win32.Breplibot.b (Kaspersky) Troj/Stinx-E (Sophos) W32/Brepibot virus (McAfee)
Date of surface: Nov 9 2005 12:00AM
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
