Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:03/01/2006
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:94.208 Bytes
MD5 checksum:1475bfdd7515bb1a7309a828b5ad1ce5
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Backdoor.Win32.Small.jj
   •  TrendMicro: BKDR_SMALL.AXH
   •  Bitdefender: Backdoor.Small.JJ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Third party control

 Registry The following registry keys are added:

– [HKCU\Software\Microsoft\NetGetXP]
– [HKCU\Software\Microsoft\NetGetXP\Options]
   • 0x%four-digit random character string%=%stolen information%

 Backdoor Contact server:
One of the following:
   • http://200.152.195.**********/newbd/get.php
   • http://200.152.195.**********/newbd/reg.php

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.

Sends information about:
    • Computer name
    • Current user
    • Environment variables
    • Current malware status
    • Information about the network
    • Platform ID
    • Information about the Windows operating system

Remote control capabilities:
    • Download file
    • Execute file
    • Terminate malware

 Injection – It injects itself into a process.

    Process name:
   • iexplore.exe

 Miscellaneous Mutex:
It creates the following Mutex:

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Wednesday, January 4, 2006
Description updated by Andrei Gherman on Wednesday, January 4, 2006

Back . . . .