AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 05:31:02 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5354 Members
Latest Member: 11ronsestophith
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Darkmoon 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Backdoor.Darkmoon  (Read 376 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
Backdoor.Darkmoon
« on: August 20, 2005, 12:46:07 AM »
Backdoor.Darkmoon is a Trojan horse that opens a back door on a compromised computer and has keylogging capabilities.

When Backdoor.Darkmoon is executed, it performs the following actions:

   1. Creates the following files:

          * %System%\Yxgunlzu.d1l
          * %System%\drivers\Yxgunlzu.sys
          * %Windir%\@@@\___.exe
          * %Windir%\@@@\mydll.exe
          * %Windir%\@@@\win32.exe
          * %Windir%\win32log.dat
          * %Temp%\~MS[RANDOM CHARACTERS].doc
          * %Temp%\~$~MS[RANDOM CHARACTERS].doc

            Note:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
          * %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

   2. Creates the following folder:

      %Windir%\@@@\plugins

   3. Adds the value:

      "Microsoft" = "%Windir%\@@@\win32.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   4. Adds the value:

      "ServiceDll" = "%System%\Yxgunlzu.d1l"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver\Parameters

      so that the risk runs every time Windows starts.

   5. Creates the following subkeys:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Yxgunlzu
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YXGUNLZU

   6. Injects %System%\Yxgunlzu.d1l into the iexplore.exe prcocess.

   7. Starts %System%\drivers\Yxgunlzu.sys as a rootkit. The file hides any strings containing "Yxgunlzu" on the compromised computer.

   8. Captures window titles and keystrokes and saves them to the following file:

      %Windir%\@@@\[DATE].txt

   9. Opens a back door on TCP ports 6868 and 7777 and awaits further instructions from a remote attacker.

  10. Allows the remote attacker to perform any of the following actions:

          * Steal System Information
          * Steal network Information
          * Download, upload, and execute files
          * Open and close the CD drive
          * Send email
          * Access CMD.exe or command.com

  11. Attempts to open %Temp%\~MS[RANDOM CHARACTERS].doc.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.darkmoon.html
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Darkmoon « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!