BDS/Jtram.E - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/Jtram.E
Date discovered:	08/12/2005
Type:	Backdoor Server
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	62.464 Bytes
MD5 checksum:	46E5CBF6377AE68557243414A28F7F11
VDF version:	6.32.01.09 - Mon, 05 Dec 2005 13:21 (GMT+1)

Files It copies itself to the following location:
• %SYSDIR%\mfm\msrll.exe

The following file is created:

– Non malicious file:
• %SYSDIR%\mfm\jtrma.conf

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mfm]
   • "Type"=dword:00000120
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000002
   • "ImagePath"="%SYSDIR%\mfm\msrll.exe"
   • "DisplayName"="Rll enhanced drive"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\mfm\Security]
   • "Security"=%hex values%

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: stolen.zxy0.com
Port: 6667
Channel: #stolen
Nickname: %random character string%

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Restart system
    • Updates itself

Backdoor The following port is opened:

– %SYSDIR%\mfm\msrll.exe on TCP port 3000 in order to provide backdoor capabilities.

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• ASPack

See a brief description here.

Description inserted by Andrei Gherman on Fri, 09 Dec 2005 12:37 (GMT+1)
Description updated by Oliver Auerbach on Fri, 09 Dec 2005 18:02 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back