Backdoor.Assasin.C

Symantec Security Response - Backdoor.Assasin.C

Backdoor.Assasin.C is a Backdoor Trojan that gives an attacker unauthorized access to a compromised computer. By default it opens port 6,595 on the infected computer. Backdoor.Assasin.C is packed using UPX v1.20.

Also Known As: Backdoor.Assasin.11 [KAV], Backdoor-AGS [McAfee]
Type: Trojan Horse
Infection Length: 92,160 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

technical details

Backdoor.Assasin.C is a variant of Backdoor.Assasin. When Backdoor.Assasin.C runs, it performs the following actions:

It displays this message:

Invalid Jpeg Image

It copies itself as %windir%\Ms Spool32.

NOTE: %windir% is a variable. The Trojan locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

It then creates the %windir%\Ms spool32.dat file. This file contains the file names of executable files that processes the Trojan attempts to terminate.

The Trojan creates the value

Ms Spool32 %windir%\ms spool32.exe

in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start or restart Windows.

Also, it creates the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK
• HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb

It attempts to disable some antivirus and firewall programs by terminating the active processes.

The Trojan notifies the client side using ICQ pager and/or email.

Once installed, Backdoor.Assasin.C waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

• Deliver system and network information to the hacker
• Manage the installation of the backdoor Trojan
• Upload and execute files

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

• 
  1. Update the virus definitions.
  2. Do one of the following:
  • Windows 95/98/Millenium: Restart the computer in Safe mode.
  • Windows NT/2000/XP: End the Trojan process.
  3. Run a full system scan, and delete all files that are detected as Backdoor.Assasin.C.
  4. Reverse the changes that the Trojan made to the registry.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

• 
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the value
  
  Ms Spool32 %windir%\ms spool32.exe
  
  5. Navigate to and delete these keys:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK
  HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb
  
  6. Exit the Registry Editor.

NOTE: You may need to reinstall your antivirus and/or firewall software.

 

Wonder if I don't have the keys AUFOBK? And I can't seem to get rid of the exe. Is there any other way to do so?

 

Download, install, update and start TDS-3

http://tds.diamondcs.com.au/html/download.htm

Once you have installed, download the latest database from the bottom of that page, and then start it up - if not detected on disk, memory space scanning should detect the trojan and you can just right click, delete.

Email me if you have any problems or questions - gavin@diamondcs.com.au