Backdoor.Dvldr

Printer Friendly Page

Discovered: March 08, 2003
Updated: March 10, 2003 4:33:11 PM
Systems Affected: Windows

Backdoor.Dvldr is a typical back door server program that allows unauthorized access to remote systems. It is installed on systems by W32.HLLW.Deloder (MCID 1280).

Discovered: March 08, 2003
Updated: March 10, 2003 4:33:11 PM
Systems Affected: Windows

Backdoor.Dvldr is a typical back door server program that allows unauthorized access to remote systems. It is installed by W32.HLLW.Deloder (MCID 1280).

When executed, the back door creates the following files:
%system%\cygwin1.dll
%windir%\fonts\explorer.exe
%windir%\fonts\omnithread_rt.dll
%windir%\fonts\VNCHooks.dll
%windir%\fonts\rundll32.exe

The back door also creates the following registry entries so that it will be executed every time the compromised system is booted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMan %windows%\Fonts\rundll32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer %windows%\Fonts\explorer.exe

The explorer.exe and VNDHooks.dll files are part of the AT&T VNC server. These files allow the attacker to access the compromised system remotely on port 5800.

The rundll32.exe file is an IRC back door that requires the cygwin1.dll file to execute. When running, it will connect to one of the following IRC servers on TCP port 6667:
cocket.nailed.org
cocket.mooo.com
cocket.bounceme.net
cocket.phathookups.com
cocket.gotdns.com
cocket.ma.cx
cocket.orgdns.org
cocket.minidns.net
cocket.dyn.nicolas.cx
cocket.dynup.net
cocket.pokemonfan.org
cocket.staticcling.org
cocket.getmyip.com

After connecting to the IRC server, the back door joins a specific channel and notifies the remote attacker by sending a private IRC message. Once the back door has been installed, it allows the remote attacker to perform various actions such as managing the installation of the back door and performing a variety of denial of service attacks.