Virus Database

ScreenMixer.1072

Description ScreenMixer.1072

It is not a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or accessed by FCB FindFirst/Next DOS calls (DIR command). Depending on the system timer the virus mixes the letters on the screen.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Katien.a

Description Backdoor.Katien.a
Katien is a backdoor trojan program. The trojan itself is a Windows PE EXE file about 50KB in length and written in Microsoft Visual C++.
Once executed the backdoor program registers itself in the system registry auto-run section:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
The key name depends on the backdoor variant:
TaskReg = %trojan file name% Service = %trojan file name%
Once this is done Katien then opens a backdoor connection and waits for its master's (person controlling the Trojan program) commands. The Katien backdoor program performs just a few commands:
gets a file from a requested URL
runs a command or specified local file
performs a DoS attack on the requested victim address
terminates itself
The backdoor program has copyright strings (lines) depending on the backdoor variant:
Voyager Alpha Force: Age of Kaiten
Kaiten Win32 API version: contem@efnet

Backdoor.KWM

Description Backdoor.KWM

This is a Win32 backdoor Trojan that allows a remote host to gain access to an infected computer. The Trojan itself is a Win32 application (PE EXE file) about 14K in size.
There are several known versions of this backdoor, which were distributed as uploadeds to public Web sites with the following names:
1. Photo.scr - as a picture (about 66K)


2..Sponsors_pay_WM.exe - as a document "Billing Systems'Contract for Services" (about 70K)



These EXE and SCR files are Trojan "droppers" that simply drop the actual Trojan program to the Windows directory with the "netcfgh.exe" name, then drop and open a "decoy" file (JPG picture or TXT document). The "decoy" files are created in the C: drive root with the PHOTO.JPG or CONTRACT.TXT names, and then are opened with Explorer.
When the actual Trojan file starts, it first of all enables auto-dialing by altering the registry key:
HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionInternet Settings EnableAutodial
The Trojan then registers itself as a hidden (system) application, then registers itself in the auto-run key in a SYSTEM.INI file (in the Windows directory), sleeps for a short time and runs a main backdoor routine. This routine connects to a host FTP site ftp://ftp.bizland.com/ with a specific name and password, downloads additional EXE components (HEAK.EXE, TEEN1.EXE, TEEN2.EXE, TEEN3.EXE) - which are a keyboard spy (logger), archiver, etc.
The Trojan also obtains special CMD files containing instructions written in specific language from this FTP. The backdoor then processes this script file and executes commands that are present here. These commands allow a remote host to operate an infected computer in the following way:
- download files to
- upload files from
- execute local files
- move/copy/delete local files
- upload confidential information to a host FTP (RAS information and cached passwords)

The backdoor also scans disk drives and looks for WebMoney files, and reports them to the host. This allows a host to steal WebMoney information from infected computers.
The backdoor also creates the following additional registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersion CmdID = %hostname% ; where %hostname% is the computer network address
SystemNumber = NEW_%system_date% ; where %system_date% is the current date converted to a number
and creates additional files in the Windows directory:
BODY.LG - The Trojan's log file (its actions and errors reported)
LIST.CMD - script file

Home