Alias:Backdoor.Ciadoor, Backdoor.Ciadoor.12
Type:Worm 
Size:117.977 Bytes 
Origin: 
Date:05-14-2004 
Damage:Sent by email, TCP Ports  
VDF Version:6.25.00.75 
Danger:Medium 
Distribution:Low 

DistributionThe Backdoor BDS/Ciadoor can spread through TCP Ports. Otherwise, it has to be explicitly installed on the system by a third party.

Technical DetailsWhen activated, BDS/Ciadoor copies itself in %WinDIR%CSRSS.EXE. The file name can be different. On Windows 95/98/ and ME it makes the entries:

"load=%filename%.exe"
"run=%filename%.exe"

in WIN.INI in Windows directory and the following entry in SYSTEM.INI:
"shell=%filename%.exe"


It also makes the following entries in one of the Registry paths:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active\SetupInstalled Components{44BBA855-CC51-11CF-AAFA-00AA00B6017B} "StubPath" = "%WinDIR%%filename%.exe" "ComponentID" = %Name% "IsInstalled" = 1 "Locale" = "en" "Version" = "4,88,55,1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active\SetupInstalled Components{44BBA855-CC51-11CF-AAFA-00AA00C7170S}"StubPath" = "%WinDIR%%filename%.exe" "ComponentID" = %Name% "IsInstalled" = 1 "Locale" = "en" "Version" = "4,88,55,1"


It makes the following entries in one or more of the following Registry paths:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"%Name%"="%WinDIR%\%filename%.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services"%Name%"="%WinDIR%%filename%.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"%Name%"="%WinDIR%\%filename%.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\winlogon"%Name%"="%WinDIR%\%filename%.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"%Name%"="%WinDIR%\%filename%.exe"



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services\"%Name%"="%WinDIR%\%filename%.exe"



HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run\"%Name%"="%WinDIR%\%filename%.exe"


It also changes the registry entries below:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"="Explorer.exe %WinDIR%/%filename%.exe"
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\"load"="%WinDIR%\%filename%.exe""run"="%WinDIR%%filename%.exe"


The author of the Worm reaches ICQ Mail and CGI Script of the infected system through TCP Ports 5888 and 6888. The infected PC opens a port and listens for commands of the Backdoor Client program .
The author can configure the Backdoor, so that it can perform the following actions with the server program of the infected computer:

Copy, move, delete and open files.
Indicate and terminate active tasks.
Screenshots.
Playing music.
Keylogger functions.
Operating WebCam and making notes.
Finding hidden passwords.
Upload and download files.
Terminate and restart Windows.
Influencing Windows processes, as CD-ROM drive, keyboard settings, desktop and taskbar indicators, background settings, mouse controls.
Seizes clipboard information.
Seizes Windows system information.
creating and opening batch files.
Seizes system files.
Performs DOS commands.
Uses a false MSN login for getting MSN account files.
Seizes CD software licenses.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .