|VIRUS NAME : BackDoor-ADM
When executed for the first time on the victim machine, this remote access trojan may display a moving image of a running man in the foreground, together with a shrunk window (sometimes) captioned 'Unknown GUY':
Additionally the trojan opens up port 22784 in order to listen for remote commands from hackers running the client component of this backdoor.
The trojan copies itself to the Windows system directory, and to ensure its execution upon subsequent system startup, sets the following Registry key:
Microsoft Syscheck" = C:\WINDOWS\System\Syscheck.exe /s
Obviously the filenames used by the trojan and the name of the Registry key may vary between versions of this backdoor. (The /s switch invokes silent mode, stopping the above graphic being displayed.)
The server component of this trojan contains code to email the hacker (via port 80, utilising a WWPMsg.dll library) details of victim machines (port number, IP address).
Server functions may vary between different versions of this trojan, but include actions typical to many common backdoors:
open/close CD-ROM tray
read PWL (Windows password) files
file system operations (upload, download, copy, delete, execute etc.)
capture screendump of victim machine
perform taskbar operations
The indicated engine/DATs detect and delete this backdoor trojan, and remove the Registry hook it employs, detailed above.
Presence of the server file in the Windows system directory, coupled with the Registry key detailed above.
Method Of Infection
The server installs itself on the victim machine when executed, copying itself to the Windows system directory and hooking the Registry.