|VIRUS NAME: BackDoor-ABN
NB: The first variant of this Trojan is detected with the 4190 DATs. Detection of a later variant requires the latest daily DATs - link below. (Detection will be included in next full DAT release.)
When the server component of this Remote Access Trojan (dubbed 'AceBot' by its author) is executed on the victim machine, the Trojan copies itself to the Windows System directory as a randomly named executable, deleting the original file. For example:
C:\WINDOWS\SYSTEM\TJSTBU.EXE (163,840 bytes)
In testing the Trojan was observed to disable the personal firewall in use. Strings within the Trojan suggest that the following personal firewalls will be bypassed:
Sygate Personal Firewall
Tiny Personal Firewall
The Trojan sets the following Registry key to ensure it is executed at subsequent system startups (adjust the filename as necessary):
\Run "Microsoft Diagnostic" = C:\WINDOWS\SYSTEM\TJSTBU.EXE
Once running, the Trojan attempts to connect to an IRC server, in order to join a channel and listen for remote commands. Strings within the server suggest a variety of functions may be performed remotely. These include the following:
Shutdown server (self kill)
Issue channel message
NB: Due to the wide variety of functions offered by this Remote Access Trojan, the payload danger is highly variable. Also, since this Trojan appears to be able to update itself, other functions may also be possible.
Code within the server suggests that it is able to spread between machines via the local network using shared drives. If successful, the worm attempts to copy itself to the following location (directory is hardcoded) on the remote machine:
Network propagation was not observed during testing, suggesting that this infection method is triggered by a remote command.
The existence of a oddly named .EXE file of length 163,840 bytes in the Windows system directory.
Disabled personal firewall
Method Of Infection
The Trojan infects a machine upon its initial execution. Thereafter, it is executed at system startup thanks to a Registry hook.