|
|
Virus Central - Detailed
|
|
Virus Information
|
|
|
Name:
|
Backdoor.Surgeon
|
|
Aliases:
|
Backdoor.Infector
|
|
Type:
|
Trojan Horse
|
|
Discovery Date:
|
February 20, 2002
|
|
Detection:
|
Releases confidential info: Stored passwords
can be acquired
Compromises security settings: Allows unauthorized access
to the compromised computer
|
|
Virus Description:
|
Backdoor.Surgeon allows a hacker to remotely control
an infected computer.
NOTE: This Trojan has been renamed. Virus definitions dated February
20, 2002 detect this as Backdoor.Infector. Definitions
dated February 21, 2002 or later detect it as Backdoor.Surgeon.
|
|
E-mail Subject:
|
|
|
E-mail Body:
|
|
|
Attachment:
|
|
|
Virus Effects:
|
|
When Backdoor.Surgeon is run, it does the following:
Presentation:
This can vary. The hacker can merge this backdoor Trojan with
a valid program so that the actual Trojan goes unnoticed when
it is run.
File installation:
It copies itself to the %Windows% folder. The file name that it
uses may vary, because the hacker who creates this backdoor Trojan
can choose any desired file name.
NOTE: %Windows% is a variable. The worm locates the \Windows
folder (by default this is C:\Windows or C:\Winnt), and copies
itself to that location.
Startup methods:
To be run at system startup, this backdoor Trojan can modify one
of the following startup locations:
- It can add a value that refers to the dropped file to one
of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- It can start from the "Run=" line in the %Windows%\Win.ini
file.
- It can start from the "Shell=" line in the %Windows%\System.ini
file.
Hacker notification:
This Trojan can be configured to use ICQ or IRC to notify the hacker
that it successfully compromised a system.
Communication with the hacker:
Backdoor.Surgeon allows the hacker to take control of the compromised
system by opening a port. The port can be configured by the hacker
who creates the backdoor. By default, it uses port 35000.
Control features:
If Backdoor.Surgeon is run, it allows the hacker to remotely take
control over the compromised computer, and can include:
- Fully control the file system
- Upload to and download from the host computer
- Run files of the hacker's choice
- Manage running processes
- Manipulate the registry
- Display messages
- Acquire passwords
- Redirect TCP traffic from one specific port to another port
and IP address.
- View the screen
- Log key strokes
- Perform annoying actions, such as manipulate the mouse, open
and close the CD-ROM drive, turn the monitor on and off, and
so on.
|
|
Removal Instructions:
|
|
To remove this Trojan, delete files that are detected as Backdoor.Surgeon,
and then check the registry start points and the Windows startup
file locations (Windows 95/98/Me only) for references to the Trojan.
To remove the Trojan:
1. Obtain the most recent virus definitions. There are two ways
to do this:
- Run LiveUpdate. LiveUpdate is the easiest way to obtain
virus definitions. These virus definitions have undergone
full quality assurance testing by Symantec Security Response
and are posted to the LiveUpdate servers one time each week
(usually Wednesdays) unless there is a major virus outbreak.
To determine if definitions for this threat are available
by LiveUpdate, look at the Virus Definitions (LiveUpdate)
line at the top of this write-up.
- Download the definitions using the Intelligent Updater.
Intelligent Updater virus definitions have undergone full
quality assurance testing by Symantec Security Response. They
are posted on U.S. business days (Monday through Friday).
They must be downloaded from the Symantec Security Response
Web site and installed manually. To determine if definitions
for this threat are available by the Intelligent Updater,
look at the Virus Definitions (Intelligent Updater)
line at the top of this write-up.
Intelligent Updater virus definitions are available here.
For detailed instructions on how to download and install the
Intelligent Updater virus definitions from the Symantec Security
Response Web site, click here.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured
to scan all files. For instructions on how to do this, read the
document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Write down the file names of files that are detected as Backdoor.Surgeon
and then delete them.
To edit the registry:
CAUTION: We strongly recommend that you back up the system
registry before making any changes. Incorrect changes to the registry
could result in permanent data loss or corrupted files. Please make
sure you modify only the keys specified. Please see the document
How
to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor
opens.
3. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. Refer to the list of infected files that you created while
following the instructions in the previous section. In the right
pane, look at the entries in the Name and Data columns.
5. If you find an entry that refers to a file that was detected
as infected, select the entry, press Delete, and then click Yes
to confirm.
6. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
7. Refer to the list of infected files that you created while
following the instructions in the previous section. In the right
pane, look at the entries in the Name and Data columns.
8. If you find an entry that refers to a file that was detected
as infected, select the entry, press Delete, and then click Yes
to confirm.
9. Exit the Registry Editor.
Edit Windows startup files
NOTES:
- The instructions in this section applies only to Windows 95/98/Me.
It is not necessary to do this if you are running Windows NT/2000/XP.
- (For Windows Me users only) As a result of the file-protection
process in Windows Me, a backup copy of the file that you are
about to edit exists in the C:\Windows\Recent folder. We recommend
that you delete this file before you continue with the steps
in this section. To do so using Windows Explorer, go to C:\Windows\Recent,
and in the right pane select the Win.ini file and delete it.
It will be regenerated as a copy of the file that you are about
to edit when you save your changes to that file.
1. Click Start, and click Run.
2. Type the following, and then click OK.
edit c:\windows\win.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location,
make the appropriate path substitution.
CAUTION: The steps that follow instruct you to remove text
from the load= and run= lines of the Win.ini
file. If you are using older programs, they may be loading at
startup from one of these lines. The Trojan can add lines such
as load=c:\windows\temp\pkg2350.exe or run=hpfsched
<blank spaces> msrexe.exe. (In this example, hpfsched
is a legitimate program, but msrexe.exe is part of the
Trojan.)
If you are sure that the text contained in these lines is for
programs that you normally use, then we suggest that you do not
remove it. If you are not sure, but the text does not refer to
the file names that you wrote down earlier, then you can prevent
the lines from loading by placing a semicolon in the first character
position of the line. For example:
; run=accounts.exe
3. Locate the load= line within the [windows] section
of the Win.ini file; it is usually located near the top of the
file.
4. Position the cursor immediately to the right of the equal (=)
sign.
5. Press Shift+End to select all of the text to the right of the
equal sign, and then press Delete.
6. Repeat steps 3 to 5 for the run= line, which is usually
beneath the load= line.
7. Click File, click Exit, and then click Yes when you are prompted
to save the changes.
8. Click Start, and click Run.
9. Type the following, and then click OK.
edit c:\windows\system.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location,
make the appropriate substitution.
10. Locate the shell=explorer.exe line within the
[boot] section of the System.ini file; it is usually located
near the top of the file.
11. Position the cursor immediately to the right of explorer.exe.
12. Press Shift+End to select all of the text to the right of
explorer.exe and then press Delete.
NOTE: Some computers may have an entry other than explorer.exe
after shell=. If this is the case, and you are running
an alternate Windows shell, then change this line to shell=explorer.exe
for now. You can change it back to your alternate shell after
you have finished this procedure.
13. Click File, click Exit, and then click Yes when you are prompted
to save the changes.
This completes the removal part of the process. Even though you
did so previously, start NAV and run another full system scan. Delete
any files that are found to be infected with this Trojan. When you
have finished, restart the computer.
Additional information:
Possible system changes
If the Trojan was run and a hacker executed files on the computer,
it may be difficult to determine exactly what was done, even after
you remove the Trojan. If you are familiar with your operating
system and how to use system-repair or system-checking tools,
we suggest that you fully check the system for any of these modifications
and undo them. Otherwise, consider reinstalling Windows.
Write-up by: Andre Post
|
TOP
|
