1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Daserf.B

System Infected: Backdoor.Daserf.B

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Daserf.B activity on the infected computer.

Additional Information

When the Trojan is executed, it copies itself to the following location:
%System%\exp1orer.exe

It also creates the following file:
%System%\usid.dat

Next, the Trojan creates the following file, which is a copy of Hacktool.Rootkit:
%System%\drivers\fdsiewt.sys

The Trojan may create the following files, which store system information gathered from the compromised computer:

%System%\pinfs.dat
%System%\msuwor.dat



Next, the Trojan creates the following service:
Display name: Microsoft Universal Device Manage Service
Image path: %System%\exp1orer.exe -service

It creates the following registry subkey for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gowrors

It also creates the following service:
Display name: fsdiewt
Image path: %System%\drivers\fdsiewt.sys

It creates the following registry subkey for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fdsiewt

The Trojan injects itself into the following processes:

services.exe
explorer.exe



It then downloads an image, which contains encoded URLs.

Next, the Trojan opens a back door, connecting to predetermined remote servers.

It then sends system information to the remote server.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube