W32/VBDoor!tr
Analysis
- Trojan is 32bit with a compressed file size of
35,068 bytes
- The Trojan was coded using Visual Basic 6
- If the Trojan is run, a dialogue box may be displayed
with the following content -
CSFIX
c:\winnt\system32\csfix.exe
[OK]
-
The Trojan will copy itself to the undefinedWindowsundefined\System32 folder as "csfix.exe" and then modify the registry to load at next Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
microsoft = c:\WINNT\SYSTEM32\csfix.exe
-
The Trojan will attempt to communicate with a website and send a page notification message to an ICQ chat client ID as seen in the following example message -
from=(username)&fromemail=moi@hotmail.com&subject=moi@hotmail.com&
body=IP=192+169+0+128++PORT=2003++Password=mouton++
Version+0+0&to=25705543&send="
-
The message above is posted using TCP port 80 to the web address 205.188.248.25 (clustera.icq.com) - a server hosted by Mirabilis which can be used to send ICQ page messages - the message serves as a notification that the affected IP is infected by the Trojan
-
The Trojan will open TCP port 2003 and await instructions from a hacker or group of hackers
-
The Trojan contains the string "BBSatanus" in its code
Recommended Action
- Block internal to external traffic (INT -> EXT)
with source TCP port 2003
- Block external to internal traffic (EXT -> INT)
with destination TCP port 2003