Backdoor.Abebot

Printer Friendly Page

Discovered: January 13, 2005
Updated: January 13, 2005 5:00:13 PM
Systems Affected: Windows

Backdoor.Abebot is a back door Trojan horse program that opens a back door and lowers security settings on a compromised computer.

Discovered: January 13, 2005
Updated: January 13, 2005 5:00:13 PM
Systems Affected: Windows

Backdoor.Abebot is a Trojan horse program that opens a back door, steals information, and lowers security settings on a compromised computer.

When executed, the Trojan creates the following copy of itself:
%System%\[random file name].exe

Next the Trojan creates the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[random key name]" = "[random file name].exe -services"
HKEY_USERS\S-1-5-21-679724519-2691042562-2408214785-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random key name]" = "[random file name].exe -drivers"

The Trojan creates the following registry entry as an infection marker:
HKEY_LOCAL_MACHINE\Software\Microsoft\Connect

The Trojan opens a back door on a random TCP port, and awaits commands from the remote attacker. The back door allows the attacker to perform the following actions on the compromised computer:
Run commands
Retrieve system information and files via FTP, HTTP, or IRC, using DCC send commands
Restart/shutdown the computer
List/kill processes
Perform denial of service attacks
Retrieve a given URL
Port Scan
Send email
Start a SOCKS4 proxy server on a random TCP port
Log keystrokes

The Trojan lowers security settings by terminating the following security-related processes:
msconfig.exe
regedit.exe
xcommsvr.exe
vsmain.exe
VetMsg.exe
Tmntsrv.exe
TeaTimer.exe
TaskMan.exe
tasklist.exe
SymWSC.exe
symlcsvc.exe
stinger.exe
SNDSrvc.exe
Smc.exe
SAVSCAN.EXE
persfw.exe
PAVFIRES.exe
Pavproxy.exe
NPSSVC.EXE

NPROTECT.EXE
NMain.exe
NAVW32.exe
Zanda.exe
NVCSCHED.EXE
nvcoas.exe
NJEEVES.EXE
Zlh.exe
Nymse.exe
Nip.exe
CClaw.exe
NISUM.EXE
NAVAPSVC.EXE
mmc.exe
mgui.exe
Mpftray.exe
minilog.exe
mghtml.exe
mcvsshld.exe
mcvsrte.exe
mcupdate.exe
McShield.exe
MCAGENT.EXE
LOCKDOWN2000.EXE
IAMSERV.EXE
IAMAPP.EXE
HijackThis.exe
FRW.EXE
spidernt.exe
drwebscd.exe
drweb32w.exe
CCSETMGR.EXE
CCPXYSVC.EXE
ccEvtMgr.exe
ccApp.exe
avpcc.exe
avgserv.exe
avgcc32.exe
Avengine.exe
apvxdwin.exe
tcpview.exe
regmon.exe
portmon.exe
netstat.exe
Lookout.exe
filemon.exe
ethereal.exe
EtherD.exe
procdump.exe
ollydbg.exe
lordpe.exe
guw32.exe
istsvc.exe
GAMECHANNEL.EXE
SearchUpgrader.exe
evntsvc.exe
actalert.exe
optimize.exe
TBPSSvc.exe
winka.exe
winupdt.exe
cashback.exe
SYS_ALERT.EXE
PrecisionTime.exe
Weather.exe
WebSavingsFromEbates1.exe
WebSavingsFromEbates0.exe
bargains.exe
hbsrv.exe
ViewMgr.exe
bigfix.exe
DateManager.exe
WebRebates1.exe
WebRebates0.exe
WeatherOnTray.exe
dmserver.exe
MWSOEMON.EXE
AdDestroyer.exe
VirtualBouncer.exe
winsrv32.exe
updmgr.exe
GMT.exe
CMESys.exe
KeenValue.exe
mostat.exe
svcnet.exe
svshosts.exe
WUAUMQR.exe
wml.exe
svchosts.exe
system32.exe
sysmon.exe
syscfg32.exe
spoolsrv.exe
scvhosts.exe
rcp32.exe
mspmspv.exe
msconfig32.exe
firedaemon.exe
dllhost32.exe
SVCHOSL.PIF
rmss.exe
imss.exe
dust.exe
intrenat.exe
winupdat.exe
winppr32.exe
videodrv.exe
SVCH0ST.EXE
mscnt.exe
msblast.exe
Desktop-shooting.exe
Cheese-Burger.exe
Blaargh.exe
Alles-ist-vorbei.exe
zonealarm.exe
zlclient.exe
zapro.exe
sniffem.exe
smc.exe
tskill.exe
taskkill.exe
processmonitor.exe
netmon.exe
lockdown2000.exe
lockdown.exe
blackice.exe
blackd.exe

The Trojan modifies the hosts file to block access to the following Web sites:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.mcafee.com
mcafee.com
us.mcafee.com
www.sophos.com
sophos.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
my-etrust.com
www.my-etrust.com
secure.nai.com
nai.com
www.nai.com
trendmicro.com
www.trendmicro.com
housecall.trendmicro.com
www.pandasoftware.com
www.bitdefender.com
www.ravantivirus.com
www3.ca.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
v5windowsupdate.microsoft.nsatc.net
windowsupdate.microsoft.com
www.windowsupdate.com
windowsupdate.com