Virus

Backdoor.Servu

Analysis

  • Trojan is installed onto a system such as a web server running IIS or SQL – the installation is intention and manual and done by a hacker and most probably through a common exploit, or if the system is already compromised by an existing remote access Trojan
  • Trojan package includes two initial files and one application – the Trojan components are install.bat and distro.zip, and the application pkunzip.exe is included
  • Once a system has been compromised, the package is copied manually to the (Windows)\Fonts folder, and the batch file install.bat is initiated remotely in order to install the Trojan
  • The batch file install.bat uses pkunzip.exe which was also copied with it to unzip the package distro.zip – all files will unpack into the current folder
  • When install.bat is initiated, it may display all of its instructions to the console and includes the following text messages –
    -=Juaking Your Fucking NT/2k/XP=-
    ###DONE! ENJOY###
  • The package includes a program named “mata.exe” which may be known as an application called “PSKill” from Sysinternals.com – mata is used to terminate running processes prior to the installation and initiation of the remote access Trojan component
  • All installed files are set to hidden file attributes
  • Finally install.bat initiates the server by using “net start”
  • The package distro.zip contains several executables including the main remote access component “tcpvcs32.exe”
  • The purpose of the installation of the Trojan is operate as a hidden FTP server for hackers to communicate and transfer files – the Trojan also attempts to allow access to the drives C through I if mapped locally to the compromised system
  • The components of the distro.zip package include the following –
    12/26/02 0:20 930 button.gif
    12/26/02 0:15 28,035 crc.exe
    8/19/02 23:46 57,856 filter.dll
    8/19/02 23:46 105 filter.ini
    5/04/01 13:58 114,688 fp.exe
    5/24/02 16:48 8,192 HideRun.exe
    8/07/02 23:05 84,992 HOPlug.dll
    7/07/02 16:19 932 Leiste.txt
    11/03/02 15:57 77,824 mata.exe
    10/25/01 4:26 34,304 muestra.exe
    6/02/02 19:53 199 News.txt
    12/20/00 11:43 40,960 psd.exe
    10/02/02 22:51 61,440 pv.exe
    10/08/02 23:03 158,720 sendbot.exe
    12/25/02 23:28 326 sendbot.ini
    8/20/02 0:07 7,680 ServuEvent.dll
    8/19/02 23:48 120 ServuEvent.ini
    12/24/02 0:46 209 start.ini
    8/19/02 23:48 50,688 T-EXEC.DLL
    11/05/02 23:27 109 T-EXEC.INI
    11/07/02 11:27 548,352 tcpvcs32.exe
    10/08/02 23:03 183,808 vgadisp.exe
    4/20/02 18:46 18,432 wordpad.exe
  • The Trojan may run as the process name “Service Cersrv Vhost”