BackDoor.BlackHole.2004 [本站公告] 点击219次
发布时间:2005-3-22 9:19:00发布者:刘树华
size: 0 KB
Type: Backdoor
Level of Danger: Normal
Spread: Throng/By Adware, or ActiveX Control
Level of Spreading: Normal
O/S Environments: Windows
Date Reported: 2005-03-21 00:00 GMT+0900
Countermeasure Updated:
Description & Analysis Created at: 2005-03-21 17:40 GMT+0900
Countermeasures:
Virus Chaser Manual Scanning.
What it is:
Worked as a backdoor after being injected into normal process.
What it does:
BackDoor.BlackHole.2004 is compressed by UPX, and spread with ipserver.exe file name.
し BackDoor.BlackHole.2004 makes its duplication when it is executed, and deletes the executable file of BackDoor.BlackHole.2004 which is downloaded at first.
- %SystemRoot%\ipserver.exe
* Windows folder (%SystemRoot%)
-Windows 9X/ME: C:\Windows
-Windows NT/2000 : C:\Winnt
-Windows XP : C:\Windows
し It creates the following files into %System% folder.
- %System%\kv2004.dll : Diagnose as a BackDoor.BlackHole.2004
* Windows system folder (%System%)
-Windows 9X/ME: C:\Windows\SYSTEM
-Windows NT/2000 : C:\Winnt\System32
-Windows XP : C:\Windows\System32
し It registers itself into registry to execute itself whenever Windows starts.
[HKLM\SOFTWARE\Microsoft\Windows\CurruntVersion\Run]
"ipserver" = "%SystemRoot%\ipserver.exe"
し If "ipserver.exe" file is executed, it accesses to the following site, and gets the server address and port number to make BackDoor.BlackHole.2004 work as a backdoor.
- 61.178..111/zxy/ip.jpg
し It detects new processes started from the system infected by "ipserver.exe" file, and injects "kv2004.dll" file into that file..
し The process injected with "kv2004.dll" file accesses to IP 2004 port downloaded from "61.178..111/zxy/ip.jpg".
- 61.178..101
し It can lead the access or get virus authors? commands from the access completed "61.178..101" server.
Alias: ? Initial update : 2005/03/19 00:01:06
Described & Analyzed by:
New Technology R&D Center
