Virus Database

Backdoor.Netdex.a

Description Backdoor.Netdex.a

Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.
The main backdoor component is a Java Script program with the name,
"zshell.js"
Other backdoor components are:
a.com - DOS COM program (helper)
netd.exe - Win32 EXE program (transfer service)
o.js, installer.php - Java Script (installer)
repost.html, sh.php - HTML page with Java Script program (additional component)

Infecting
Computers become infected when visiting the backdoor's host site at http://www.two.com.ru. This site's index page contains a script program. If script programs are permitted to run on the target computer, the script is then executed.
Exploiting a security breach the script creates and runs backdoor components on victim computers. Upon execution the components install themselves into the system, and run a backdoor routine. The main backdoor component is registered in two system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
The backdoor uses the 'Microsoft VM ActiveX Component' vulnerability. Please go to http://www.microsoft.com/technet/security/bulletin/MS00-075 for more details.
To hide the backdoor's activity the Web page has the page Title and text in Russian:
Title: Why did you get here?
Text: Enter password to begin

In case a password is entered, additional text in Russian is displayed.
Netdex Password Screen:

Main Backdoor Component
The backdoor itself is a script program written in the Java Script language. Once each minute the backdoor receives from the host site a set of commands and executes them. This backdoor performs the following commands:
runs a command or specified local file
displays specified message on computer's desktop
updates itself
sends email on behalf of victim computer
terminates itself
See a full list of commands below.
Technical Details - Infecting
Step1 - opening the infected Web page
While infecting the Java Script on the hacker's web site's main HTML page, the following files are 'dropped' onto victim computers:
dropped file: DOS COM file named a.com. This files is saved to the Windows temp directory.
file dropped and executed: the Java script named zshell.js. This file is saved to the Windows 'Cookies' directory
Thus there are two new files on victim computers:
"%TMP%a.com"
"%Cookies folder%zshell.js"
Step2 - Creating the Backdoor Component
The 'zshell.js' script that is run during Step1 performs two main actions:
Action1: - it creates the "transfer service" file - netd.exe - a Win32 EXE file.
To do this the script runs the 'a.com' file in the temporary folder. The 'a.com' file extracts from its code, decrypts and drops the 'netd.exe' file into the temporary directory. This file is then copied to the Windows 'Cookies' folder.
The 'netd.exe' program will then be used as a helper to send/receive data to/from the main backdoor's Web page. This helper program supports SMTP and HTTP protocols to transfer data to/from infected computers.
Action2: It downloads the file 'install.php' from the Web page, stores it with under the name 'o.js' and runs it.
To do this the script uses the "GET HTTP" command and 'netd.exe' transfer service.
Step3 - Installing the Backdoor
The 'o.js' script that is run in Step2 performs the following actions:
Action1: it downloads the 'sh.php' file from Web page, stores it under the 'zshell.js' name, and executes it. The file 'zshell.js' is the main backdoor component.
Action2: it creates registry auto-run keys that will start the main backdoor component (zshell.js) upon Windows restart.
Action3: it creates the backdoor auto re-run script file.
To do this the 'o.js' script creates a new 'repost.html' file in the Windows Cookies folder:
"%Cookies folder% epost.html"
and writes a script program to this location that runs the zshell.js file (main backdoor component).
The repost.html file is then registered in the registry key:
HKLMSOFTWAREMicrosoftInternet ExplorerAboutURLsPostNotCached
This script, in some cases, is then automatically run by Internet Explorer, and the main backdoor script gains control.
This completes the installation.
Backdoor Commands:
EXIT - terminates the backdoor program

NOBREAK - does nothing

SETCMDURL - stores new host (Web page) to communicate with

RUN - run command (from argument)

SENDMAIL - sends email message - SMTP is read from the "HKCUSoftwareMicrosoftInternet Account ManagerAccounts0000001SMTP Server", or "mail.ru" is used in case of an error

UPDATE - downloads file and stores it to the "%Cookies folder%zshell.js"

ALERT - displays a message

SLEEP - waits %n% minutes (%n% is in argument)

SENDCONFIRM - reports 'I am here'

RUNTHESELF - restarts itself from the "%Cookies folder%zshell.js"

Check other viruses! Be aware! Use Antiviral Software

Phantom1

Description Phantom1

It is not a dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM and EXE files that are executed or opened. If there is long period of keyboard inactivity this virus draws the picture of death's head with the text "PHANTOM 1" and displays the message:
Congradulations!!! Your computer is now infected with a high performance
PHANTOM virus! Coming soon: next virii based on the _C00LEST_ mutation
engine all over the world: the Advanced Polymorphic Engine! Enjoy this
intro! (C) 1994 by Dark Prince.

This virus has bugs. Sometimes it corrupts the files while infecting: the decryption routine cannot decrypt the virus body. While executing these files halt the system. Second, the video effect does not work under MS-Windows, Win95 and different memory managers.

Phardera.5824

Description Phardera.5824

This is a benign memory resident parasitic polymorphic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. The resident code of virus is also encrypted with different keys, and the virus decrypts/encrypts its routines "on-the-fly" in case of need. The virus also uses a lot of anti-debugging tricks.
On the 10th of each month, the virus displays the following message:
Phardera + Dianita

The virus contains the text strings:
Phardera
-by Phardera'95-----Batavia--------Indonesia----
RaredrahP Dianita

Home