AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 08:08:17 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5356 Members
Latest Member: Gagabaksik
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Tixanbot 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Backdoor.Tixanbot  (Read 443 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
Backdoor.Tixanbot
« on: August 24, 2005, 08:20:16 PM »
Backdoor.Tixanbot is a Trojan horse that gives a remote attacker control over the compromised computer. It also ends security-related processes, stops services, and sends links to other users using MSN Messenger.

When Backdoor.Tixanbot is executed, it performs the following actions:

   1. Displays a fake error message with the following properties:

      Title: Error Patching File
      Message: Messenger not found!

   2. Copies itself as %System%\[RANDOM NAME]\svshost.exe.

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   3. May create the following files that are shortcuts to the file %System%\[RANDOM NAME]\svshost.exe, so that it runs at startup:

          * %User Profile%\Start Menu\Programs\Startup\svshost.lnk
          * %User Profile%\Start Menu\Programme\Autostart\svshost.lnk

            Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

   4. Adds the value:

      "svshost" = "%System%\[RANDOM NAME]\svshost.exe"

      to the registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   5. Adds the value:

      "Start" = "4"

      to the registry subkeys:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice

      so that it disables Windows security features.

   6. Ends the following processes, some of which are security-related:

          * kavsvc.exe
          * msconfig.exe
          * kav.exe
          * mcvsshld.exe
          * mcagent.exe
          * mcvsrte.exe
          * mcshield.exe
          * mcvsftsn.exe
          * mcdash.exe
          * mcvsescn.exe
          * mcinfo.exe
          * mpfagent.exe
          * mpftray.exe
          * mpfservice.exe
          * mskagent.exe
          * mcmnhdlr.exe
          * sndsrvc.exe
          * vsmon.exe
          * usrprmpt.exe
          * ccapp.exe
          * ccevtmgr.exe
          * spbbcsvc.exe
          * ccsetmgr.exe
          * symlcsvc.exe
          * npfmntor.exe
          * navapsvc.exe
          * issvc.exe
          * ccproxy.exe
          * navapw32.exe
          * navw32.exe
          * smc.exe
          * outpost.exe
          * zlclient.exe
          * pandaavengine.exe
          * msblast.exe
          * penis32.exe
          * teekids.exe
          * bbeagle.exe
          * d3dupdate.exe
          * sysmonxp.exe
          * i11r54n4.exe
          * irun4.exe
          * mscvb32.exe
          * sysinfo.exe
          * mwincfg32.exe
          * wincfg32.exe
          * winsys.exe
          * zapro.exe
          * winupd.exe
          * enterprise.exe
          * regedit.exe
          * hijackthis.exe
          * gcasdtserv.exe
          * gcasserv.exe
          * pcctlcom.exe
          * tmntsrv.exe
          * tmproxy.exe
          * pccguide.exe
          * tmpfw.exe
          * pcclient.exe
          * AVGNT.EXE
          * AVWIN.EXE
          * taskmgr.exe
          * AVWUPSRV.EXE
          * ethereal.exe

   7. Closes Windows with the following title:

          * microsoft antispyware*
          * hijackthis*

   8. Ends the following security-related services, and sets their start type to disabled:

          * wscsvc
          * SharedAccess
          * srservice
          * kavsvc
          * mcupdmgr.exe
          * McShield
          * MCVSRte
          * MpfService
          * GuardDogEXE
          * ISSVC
          * navapsvc
          * Symantec Core LC
          * ccEvtMgr
          * SNDSrvc
          * ccProxy
          * ccPwdSvc
          * ccSetMgr
          * SPBBCSvc
          * SAVScan
          * SBService
          * SmcService
          * OutpostFirewall
          * vsmon
          * CAISafe
          * PcCtlCom
          * tmproxy
          * Tmntsrv

   9. Deletes the following security-related values:

      "CleanUp"
      "MCAgentExe"
      "MCUpdateExe"
      "VirusScan Online"
      "VSOCheckTask"
      "ccApp"
      "Symantec NetDriver Monitor"
      "SmcService"
      "Outpost Firewall"
      "gcasServ"
      "pccguide.exe"
      "KAVPersonal50"
      "Zone Labs Client"

      from the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  10. Adds the following text to the hosts file to block access to some security-related websites:

      127.0.0.1 avp.com
      127.0.0.1 www.avp.com
      127.0.0.1 ca.com
      127.0.0.1 dispatch.mcafee.com
      127.0.0.1 download.mcafee.com
      127.0.0.1 f-secure.com
      127.0.0.1 fastclick.net
      127.0.0.1 ftp.f-secure.com
      127.0.0.1 ftp.sophos.com
      127.0.0.1 liveupdate.symantec.com
      127.0.0.1 customer.symantec.com
      127.0.0.1 rads.mcafee.com
      127.0.0.1 mast.mcafee.com
      127.0.0.1 mcafee.com
      127.0.0.1 my-etrust.com
      127.0.0.1 nai.com
      127.0.0.1 networkassociates.com
      127.0.0.1 secure.nai.com
      127.0.0.1 securityresponse.symantec.com
      127.0.0.1 service1.symantec.com
      127.0.0.1 sophos.com
      127.0.0.1 support.microsoft.com
      127.0.0.1 symantec.com
      127.0.0.1 update.symantec.com
      127.0.0.1 updates.symantec.com
      127.0.0.1 us.mcafee.com
      127.0.0.1 vil.nai.com
      127.0.0.1 viruslist.com
      127.0.0.1 www.viruslist.com
      127.0.0.1 www.awaps.net
      127.0.0.1 www.ca.com
      127.0.0.1 www.f-secure.com
      127.0.0.1 www.fastclick.net
      127.0.0.1 www.mcafee.com
      127.0.0.1 www.microsoft.com
      127.0.0.1 www.my-etrust.com
      127.0.0.1 www.nai.com
      127.0.0.1 www.networkassociates.com
      127.0.0.1 www.sophos.com
      127.0.0.1 www.symantec.com
      127.0.0.1 www3.ca.com
      127.0.0.1 www.grisoft.com
      127.0.0.1 grisoft.com
      127.0.0.1 housecall.trendmicro.com
      127.0.0.1 trendmicro.com
      127.0.0.1 www.trendmicro.com
      127.0.0.1 www.pandasoftware.com
      127.0.0.1 pandasoftware.com
      127.0.0.1 kaspersky.com
      127.0.0.1 www.kaspersky.com
      127.0.0.1 www.zonelabs.com
      127.0.0.1 zonelabs.com
      127.0.0.1 antivir.com
      127.0.0.1 antivir.de
      127.0.0.1 www.spywareinfo.com
      127.0.0.1 spywareinfo.com
      127.0.0.1 www.merijn.org
      127.0.0.1 merijn.org

  11. Opens a back door by connecting to an IRC server on irc.xposed.org through TCP port 37737. This back door allows the attacker to perform the following actions on the compromised computer:

          * Download files
          * Download updates to the Trojan
          * Perform a denial of service attack
          * Obtain system information - computer name, OS
          * Run shell commands
          * Change the start page in Internet Explorer.
          * Open a URL in a browser
          * Send a message to other users via MSN messenger.

  12. Sends one of the following messages to other MSN messenger users followed by a link which when clicked, downloads a copy of the Trojan:

      LMAO, this is freaking me out!!
      looooooool....check this out !!!
      Automessage : download the new MSN update here!
      rofl, this ownz!!
      Hej, you already updated your MSN?
      Get the new MSN Messenger here :
      Click here if you want more MSN emotions:
      w0000t, you have to check this out!
      lmao, this roxXxX!!
      wow wow wow.....you have to check this out!!!

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tixanbot.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "svshost" = "%System%\[RANDOM NAME]\svshost.exe"

   6. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Tixanbot « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!