Virus Database

Backdoor.Netdex.a

Description Backdoor.Netdex.a

Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.
The main backdoor component is a Java Script program with the name,
"zshell.js"
Other backdoor components are:
a.com - DOS COM program (helper)
netd.exe - Win32 EXE program (transfer service)
o.js, installer.php - Java Script (installer)
repost.html, sh.php - HTML page with Java Script program (additional component)

Infecting
Computers become infected when visiting the backdoor's host site at http://www.two.com.ru. This site's index page contains a script program. If script programs are permitted to run on the target computer, the script is then executed.
Exploiting a security breach the script creates and runs backdoor components on victim computers. Upon execution the components install themselves into the system, and run a backdoor routine. The main backdoor component is registered in two system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
The backdoor uses the 'Microsoft VM ActiveX Component' vulnerability. Please go to http://www.microsoft.com/technet/security/bulletin/MS00-075 for more details.
To hide the backdoor's activity the Web page has the page Title and text in Russian:
Title: Why did you get here?
Text: Enter password to begin

In case a password is entered, additional text in Russian is displayed.
Netdex Password Screen:

Main Backdoor Component
The backdoor itself is a script program written in the Java Script language. Once each minute the backdoor receives from the host site a set of commands and executes them. This backdoor performs the following commands:
runs a command or specified local file
displays specified message on computer's desktop
updates itself
sends email on behalf of victim computer
terminates itself
See a full list of commands below.
Technical Details - Infecting
Step1 - opening the infected Web page
While infecting the Java Script on the hacker's web site's main HTML page, the following files are 'dropped' onto victim computers:
dropped file: DOS COM file named a.com. This files is saved to the Windows temp directory.
file dropped and executed: the Java script named zshell.js. This file is saved to the Windows 'Cookies' directory
Thus there are two new files on victim computers:
"%TMP%a.com"
"%Cookies folder%zshell.js"
Step2 - Creating the Backdoor Component
The 'zshell.js' script that is run during Step1 performs two main actions:
Action1: - it creates the "transfer service" file - netd.exe - a Win32 EXE file.
To do this the script runs the 'a.com' file in the temporary folder. The 'a.com' file extracts from its code, decrypts and drops the 'netd.exe' file into the temporary directory. This file is then copied to the Windows 'Cookies' folder.
The 'netd.exe' program will then be used as a helper to send/receive data to/from the main backdoor's Web page. This helper program supports SMTP and HTTP protocols to transfer data to/from infected computers.
Action2: It downloads the file 'install.php' from the Web page, stores it with under the name 'o.js' and runs it.
To do this the script uses the "GET HTTP" command and 'netd.exe' transfer service.
Step3 - Installing the Backdoor
The 'o.js' script that is run in Step2 performs the following actions:
Action1: it downloads the 'sh.php' file from Web page, stores it under the 'zshell.js' name, and executes it. The file 'zshell.js' is the main backdoor component.
Action2: it creates registry auto-run keys that will start the main backdoor component (zshell.js) upon Windows restart.
Action3: it creates the backdoor auto re-run script file.
To do this the 'o.js' script creates a new 'repost.html' file in the Windows Cookies folder:
"%Cookies folder% epost.html"
and writes a script program to this location that runs the zshell.js file (main backdoor component).
The repost.html file is then registered in the registry key:
HKLMSOFTWAREMicrosoftInternet ExplorerAboutURLsPostNotCached
This script, in some cases, is then automatically run by Internet Explorer, and the main backdoor script gains control.
This completes the installation.
Backdoor Commands:
EXIT - terminates the backdoor program

NOBREAK - does nothing

SETCMDURL - stores new host (Web page) to communicate with

RUN - run command (from argument)

SENDMAIL - sends email message - SMTP is read from the "HKCUSoftwareMicrosoftInternet Account ManagerAccounts0000001SMTP Server", or "mail.ru" is used in case of an error

UPDATE - downloads file and stores it to the "%Cookies folder%zshell.js"

ALERT - displays a message

SLEEP - waits %n% minutes (%n% is in argument)

SENDCONFIRM - reports 'I am here'

RUNTHESELF - restarts itself from the "%Cookies folder%zshell.js"

Check other viruses! Be aware! Use Antiviral Software

Cannabis_II.1029

Description Cannabis_II.1029

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. While installing, it also hits the COMMAND.COM file, while infecting COMMAND it does not increase its size but writes itself into the middle of the file.
The virus does not infect the files:
CL*.EXE, HW*.EXE, TB*.EXe, F-*.EXE, WC*.EXE, TK*.EXE

The virus contains the text string:
No! Cannabisall

Cannibal.1312

Description Cannibal.1312

Cannibal.1312 is a dangerous memory resident encrypted parasitic virus. It hooks INT 10h, 28h, 2Fh, 4Ah and on INT 10h, 28h calls infects the file which performs that call. On infection the virus writes itself at the end of the files. It contains the bug and corrupts .EXE-files on infection. It creates the file
C:VIRUS.$$$cannibal.max

and writes the text into it:
_______________________________________
MAX CANNIBAL vers.1.04
(c)93 PAVLOVO CITY
_______________________________________
"_" = non displayable character.

The virus displays that text on INT 4Ah calls. It also contains the internal text strings:
AIDS
Mad Max

Home