Virus Database

Datacrime.1280.a

Description Datacrime.1280.a

This is a very dangerous nonresident virus. As an infected file is executed, it infects by standard way not more than one COM or EXE file in all current directories of all available disks. Depending on the timer and its own internal counters, the virus displays the text:
DATACRIME VIRUS RELEASED: 1 MARCH 1989
After that it makes an attempt to format some tracks of the hard disk.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.G_Door.20

Description Backdoor.G_Door.20

This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Installation
When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_CLASSES_ROOT xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
[HKEY_LOCAL_MACHINESoftwareCLASSES xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
The name of the Windows system directory (here it is "C:\WIN98SYSTEM") depends on system configuration.
As a result of such a registration in the system registry, the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way, the server starts on Windows start-up, and restarts if its process is unloaded from the system memory by a user.
Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.
As a result, the backdoor server-removal procedure is not a simple problem: it is impossible to remove or rename the KERNEL32.EXE backdoor server file (it is active and locked by the system); the registry keys are controlled by the server (this makes it impossible to reboot the system with a "clear" registry).
Under Win9x, to get rid of this backdoor, it is possible to boot a computer in DOS mode and remove the KERNEL32.EXE file from the Windows system directory, and after booting Windows, it is necessary to remove references to this file in the system registry. Under WinNT, it is necessary to kill the backdoor's process in Windows memory, then delete the server EXE file and clear the system registry keys.
Server
To connect to the client component, the backdoor server uses the port 7626 and periodically listens to it. When the server is connected with a client, it executes client commands and takes control over the victim computer: manipulates a victim's file system - copies files, moves, deletes, creates, etc.
Client
The client is able to scan an adjusted subnet for active servers. On connection to a server, the client gains control over a victim computer's resources. The client GUI is adapted to Chinese.

Backdoor.Hacdef.b

Description Backdoor.Hacdef.b

This Trojan is a member of the Backdoor family of Trojans. It runs only under Windows NT, Windows 2000 and XP.
The Trojan has two files: a main component and a helper library.
The files may appear under a range of names: however, the names most commonly used are:
Main component:
isplog.exe
isplogger.exe
Helper library
isplogger.sys
hkrnlrdv.sys
hxdefdrv.sys
The main component file is 70144 bytes in size, and the helper library is 3328 bytes in size.
The program has a sleath function, which hides processes, files on disk, and also system registry values.
Installation
In order to install the backdoor on the system, this Trojan requires a configuration file (INI) that indicates which files and processes should be hidden, and also gives a password for remote access to the system.
The backdoor is installed on the system using the key:
-:installonly
Once the backdoor is launched, the Trojan extracts the helper library from itself and installs it in the same directory as the backdoor.
It registers itself as a service in the Windows system registry, and gains control each time the operative system is started.
It creates a key in the system register:
[HKLMSystemCurrentControlSetServicesSafeBoot
The backdoor service is registered as Minimal Network.
The backdoor installs API hooks in all active memory processes, and changes a large number of system APIs in order to mask its presence in the system.
AddAccessAllowedAce
AllocateAndInitializeSid
CloseHandle
closesocket
CreateFileA
CreateMailslotA
CreatePipe
CreateProcessA
CreateProcessW
CreateThread
DisconnectNamedPipe
DuplicateHandle
EnumServicesStatusA
EnumServicesStatusW
ExitThread
FindClose
FindFirstFileExW
FindNextFileW
FlushInstructionCache
FreeLibrary
GetCurrentProcess
GetEnvironmentVariableW
GetLastError
GetLengthSid
GetMailslotInfo
GetModuleFileNameA
InitializeAcl
InitializeSecurityDescriptor
IsBadReadPtr
LoadLibraryA
LoadLibraryExW
NtQuerySystemInformation
PeekNamedPipe
ReadFile
recv
ResumeThread
send
SetLastError
SetSecurityDescriptorDacl
Sleep
TerminateProcess
TerminateThread
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WriteFile
WSAEventSelect
WSAGetLastError
WSAIoctl
WSARecv
The backdoor does not open any ports on the victim machine when launching. The functions which hook and replace the APIs allow the backdoor to monitor all incoming traffic; it attempts to detect commands from a remote client in the traffic. If the correct password is received, it opens the port specified by the author/ user of the Trojan to be used for remote access. This way the backdoor evades any firewall protection on the victim machine.
If you detect any of the Trojan components on your machine, you are strongly recommended to contact your antivirus manufacturer's technical support service.

Home