Alias:Backdoor.Ciadoor, Backdoor.Ciadoor.12
Type:Trojan 
Size:4,099 Bytes 
Origin:unknown 
Date:05-14-2004 
Damage: 
VDF Version:14.05.2004 
Danger:Medium 
Distribution:Low 

DistributionBDS/Ciadoor can spread over TCP Ports, or by explicit installation of a third party.

Technical DetailsWhen activated, BSD/Ciadoor copies itself in %WinDIR%\CSRSS.EXE. The file name can vary. On Windows 95/98/ME systems it makes the entries:

"load=%filename%.exe"
"run=%filename%.exe"

in WIN.INI on Windows directory and the following entry in SYSTEM.INI:

"shell=%filename%.exe"

It makes these entries in one of the following registry paths:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6017B}
"StubPath" = "%WinDIR%\%filename%.exe"
"ComponentID" = %Name%
"IsInstalled" = 1
"Locale" = "en"
"Version" = "4,88,55,1"

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00C7170S}
"StubPath" = "%WinDIR%\%filename%.exe"
"ComponentID" = %Name%
"IsInstalled" = 1
"Locale" = "en"
"Version" = "4,88,55,1"

It also makes one or more of the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\
"%Name%"="%WinDIR%\%filename%.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run\
"%Name%"="%WinDIR%\%filename%.exe"

It modifies the following registry entries, too:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\
"Shell"="Explorer.exe %WinDIR%/%filename%.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows\
"load"="%WinDIR%\%filename%.exe"
"run"="%WinDIR%\%filename%.exe"

The infected PC opens a port and waits for instructions of the backdoor client program.

The author has the possibility to configure the backdoor, so as to run the following actions with the server program of the infected computer:
- Copy, cut, delete, run files;
- Call or terminate running tasks;
- Screenshots;
- Keylogger function;
- WebCam recording;
- Finding hidden passwords;
- File uploading and downloading;
- Controlling Windows, e.g. restart;
- Influencing different Windows applications, e.g. CD-ROM drive, keyboard settings, desktop appearance, taskbar appearance, changing background settings, mouse control;
- Collecting clipboard information;
- Collecting Windows System information;
- Setting and running Batch files;
- Collecting system files;
- Running DOS instructions;
- Indicating a false MSN Login, to get MSN account data;
- Collecting CD-Licenses for Software.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .