Backdoor.Carufax.A

Printer Friendly Page

Discovered: April 19, 2004
Updated: April 19, 2004 4:22:06 PM
Systems Affected: Windows

Backdoor.Carufax.A is a trojan horse that will attempt to download files, open a backdoor, connect to an IRC server and log keystrokes.


Discovered: April 19, 2004
Updated: April 19, 2004 4:22:06 PM
Systems Affected: Windows

Backdoor.Carufax.A is a back door program that allows unauthorized remote access to a compromised system.

Upon execution the program copies itself as the following files: %System%\internt.exe, on Windows98 and WindowsME machines
%AppData%\internt.exe, on WindowsNT, Windows2000 and WindowsXP.

The %AppData% folder is determined by querying the following registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

It then creates the following registry entry so that it is launched every time Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internt = <path to trojan>\internt.exe

The program will then attempt to connect to an IRC server running at 69.56.199.110 and join the channel #adfxdaxf2 with the username Admin and password 3r3r3r.

Once connected attackers have the ability to:
Send an email including keystroke logfiles to author.
View System information.
Remove the trojan from the system.
Download and execute arbitrary files.
Update the version of the threat running on the infected host.

Backdoor.Carfux.A also downloads a configuration file from http://www.utility-carfax.com/, which contains an IP address of a email server, an email address to send logs to, and a list of strings, which it will use as a list of applications to monitor.

These values are stored in the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IxServ
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IxMail
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IxWind

The trojan will also generate a unique ID for the infected host, which will be stored at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IxIdnt

The trojan will drop the file kbdext32.dll to the current working directory. This DLL will monitor the list of applications specified by the downloaded configuration file and log keystrokes to the file ~intfx.dat.

Backdoor.Carufax.A will also run an FTP server on port 11311 allowing remote attackers full access to the infected host.

This threat in written in C++ and packed with PECompact.