Backdoor.Netdex

Name: Troj/Netdex-A
Aliases: Backdoor.Netdex
Type: Trojan
Date: 17 October 2002

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
December 2002 (3.64) release of Sophos Anti-Virus.

At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory
following enquiries to our support department from customers.


Description
Troj/Netdex-A is a backdoor Trojan which allows unauthorised remote access to the computer. The Trojan is composed of several parts. When a user connects to an infected website the file BANNER.HTML may be run.

BANNER.HTML drops and executes two files on the the victim's computer, A.COM and ZSHELL.JS. ZSHELL.JS is dropped in the Cookies folder. When this file is run it drops a BAT file to execute and delete A.COM. The BAT file is then also deleted. Finally ZSHELL.JS runs NETD.EXE which is created in the Windows Temp folder when A.COM is run. All communication to the remote server goes through NETD.EXE, which downloads the file INSTALL.PHP from the remote server.

INSTALL.PHP creates the file REPOST.HTML and edits a registry entry to point to this file. It then runs NETD.EXE with a parameter to get SH.PHP.

SH.PHP is the main Trojan script and runs NETD.EXE with an option to retreive the set of commands that the Trojan should execute. SH.PHP is then copied over ZSHELL.JS (NETD.EXE uses two files for input and output: it reads I.JS for input to send to the server and it writes the received data to O.JS. The new O.JS is copied over the old ZSHELL.JS to enable remote updating). The time zone synchronisation registry entries are modified to point to ZSHELL.JS so that it is periodically run.



More information about Troj/Netdex-A can be found at
http://www.sophos.com/virusinfo/analyses/trojnetdexa.html