BackDoor-DKM

**Anilrgowda** · 22-Jan-2007, 09:50 AM

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/20/2006 Date Added: 12/21/2006 Origin: N/A Length: 42,767 bytes Type: Trojan SubType: Remote Access DAT Required: 4924 Virus Characteristics

On execution, BackDoor-DKM copies itself to %Windir%\System32 (name varies) and adds a registry entry to activate itself on reboot.The original copy of the file is deleted.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"SvcManager"=(name varies)
It also creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List
"c:\\windows\\system32\\kernelex0.exe"="c:\\window s\\system32\\kernelex0.exe:*:Enabled:kernelex0"
HKEY_CURRENT_USER\Software\Microsoft\CryptoSecure
"CurrentVersion"=dword:00000023
"Id"=(varies)
"Last Update"=(varies)
"Name"="kernelex0.exe"
"Next Update"=(varies)
HKEY_CURRENT_USER\Software\Microsoft\CryptoSecure\ RM
“@”=hex(0):,00

After first making what appear to be several dummy requests (these appear to be chosen at random from a set of possible domains, including windowsupdate.microsoft.com, and msn.com), the process communicates briefly with the following server:

NOLAZ-pc-38-126.unnet.ru (87.249.38.126)

Following the brief exchange, the outgoing connection is maintained in a passive state. Along with this the process also begins listening on a random high TCP port.

Indications of Infection

Presence of %WinDir%\System32\(varying legitimate-sounding filename).exe
Presence of registry entries as described
Network traffic to the aforementioned addresses
Presence of unauthorized open network connections previously mentioned

Method of Infection

Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malware onto the user's system with no user interaction.)

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

22-Jan-2007, 09:50 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	BackDoor-DKM Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/20/2006 Date Added: 12/21/2006 Origin: N/A Length: 42,767 bytes Type: Trojan SubType: Remote Access DAT Required: 4924 Virus Characteristics On execution, BackDoor-DKM copies itself to %Windir%\System32 (name varies) and adds a registry entry to activate itself on reboot.The original copy of the file is deleted. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "SvcManager"=(name varies) It also creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List "c:\\windows\\system32\\kernelex0.exe"="c:\\window s\\system32\\kernelex0.exe::Enabled:kernelex0" HKEY_CURRENT_USER\Software\Microsoft\CryptoSecure "CurrentVersion"=dword:00000023 "Id"=(varies) "Last Update"=(varies) "Name"="kernelex0.exe" "Next Update"=(varies) HKEY_CURRENT_USER\Software\Microsoft\CryptoSecure\ RM “@”=hex(0):,00 After first making what appear to be several dummy requests (these appear to be chosen at random from a set of possible domains, including windowsupdate.microsoft.com, and msn.com), the process communicates briefly with the following server: NOLAZ-pc-38-126.unnet.ru (87.249.38.126) Following the brief exchange, the outgoing connection is maintained in a passive state. Along with this the process also begins listening on a random high TCP port. Indications of Infection* Presence of %WinDir%\System32\(varying legitimate-sounding filename).exe Presence of registry entries as described Network traffic to the aforementioned addresses Presence of unauthorized open network connections previously mentioned Method of Infection Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malware onto the user's system with no user interaction.) Removal Instructions AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)