Backdoor.OptixPro.10.c

Discussion in 'malware problems & news' started by Randy_Bell, Jan 4, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - Backdoor.OptixPro.10.c

    The Backdoor.OptixPro.10.c Backdoor Trojan is a variant of Backdoor.OptixPro.10. It allows an attacker unauthorized access to an infected computer. By default, the Backdoor Trojan opens TCP port 3,410 on the infected computer. This threat is written in the Borland Delphi programming language and is compressed with tElock.

    Type: Trojan Horse
    Infection Length: 407,552 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, Unix, Linux

    technical details

    When Backdoor.OptixPro.10.c runs, it does the following:


    • 1. Displays this message:

      http://securityresponse.symantec.com/avcenter/graphics/backdoor.optixpro.10.c.1.gif

      2. Copies itself as C:\%System%\netupd.exe.

      NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that particular location. By default, this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

      3. May add a value that refers to the Netupd.exe file in the registry keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices

      so that the Trojan starts each time you start Windows.

      4. Creates the file %Windir%\Wmmiexe.exe, which the Symantec antivirus products detect as a Trojan Horse.

      NOTE: %Windir% is a variable. The Trojan locates the primary Windows installation folder (by default, this is C:\Windows or C:\Winnt) and uses it as a destination folder.

      5. In the registry key

      HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

      the Trojan changes the (Default) value to

      wmmiexe.exe "%1" %*

      This causes the Trojan to run when you run an .exe file.

      6. If the operating system is Windows 95/98/Millenium, the Trojan may modify the System.ini and append itself to the shell=Explorer.exe line in the [boot] section, as the following:

      [boot]
      Shell=Explorer.exe C:\%system%\netupd.exe

      7. If the operating system is Windows 95/98/Millenium, it may append itself to the Run= line in the [windows] section of the Win.ini file:

      [windows]
      Run=C:\%system%\netupd.exe

      8. Attempts to disable some antivirus and firewall programs by ending their processes.

      9. Attempts to obtain access to the password cache on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and so on. Backdoor.OptixPro.10.c inventories established RAS connection details to authenticate its access to the remote access server.

      10. Installs hook procedures into a hook chain to monitor the system for any keyboard and mouse messages. The keyboard and mouse hook procedures process the messages and pass the hook information to the next hook procedure in the current hook chain. This permits Backdoor.OptixPro.10.c to intercept keystrokes.

      11. Notifies the client side through email. After Backdoor.OptixPro.10.c is installed, it waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:
      • Deliver system and network information to the hacker, including login names and cached network passwords.
      • Steal login details of AOL Instant Messenger.
      • Manage the installation of the Backdoor Trojan.
      • Download/Upload/Execute/Delete files, modify the attributes of files.
      • Remove folders, modify the attributes of folders.
      • Change the Internet Explorer start page to the hacker's choice.
      • Print text, play media files, open/close the CD-ROM drive, disable/enable keyboard or mouse, turn on/off monitor, beep, shut down the machine, and so on.
      • Use a known vulnerability in Windows 95/98/Millenium to cause the system to crash.

    removal instructions

    NOTE: These instructions are for all the current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    • 1. Reverse the changes that the Trojan made to the registry.
      2. Update the virus definitions.
      3. Do one of the following:

      • Windows 95/98/Millenium: Restart the computer in the Safe mode.
        Windows NT/2000/XP: Stop the Trojan process.
      4. Run a full system scan and delete all the files detected as Backdoor.OptixPro.10.c or Trojan Horse.
      5. For Windows 95/98/Millenium only: Restore the shell= line in the System.ini file and restore the run= line in the Win.ini file.

    For details on how to do this, read the following instructions.

    Reversing the changes the Trojan made to the registry
    Because the Trojan modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file.


    • Making a copy of the Registry Editor

      • 1. Do one of the following, depending on which version of Windows you are running:

        • Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
          Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
          Windows NT/2000:

          • a. Click Start, then click Run.
            b. Type command, then press Enter.

            (A DOS window opens.)

            c. Type the following:

            cd \winnt

            Then press Enter.

            d. Go to step 2 of this section.

          Windows XP:

          • a. Click Start, then click Run.
            b. Type command, then press Enter.

            (A DOS window opens.)

            c. Type the following:

            cd\
            cd \windows

            Then press Enter after typing each one.

            d. Proceed to step 2 of this section.

        2. Type the following:

        copy regedit.exe regedit.com

        Then press Enter.

        3. Type the following:

        start regedit.com

        Then press Enter.

        The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.

      Editing the registry

      CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

      • 1. Navigate to and select the following key:

        HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

        CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey.

        Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure:

        http://securityresponse.symantec.com/avcenter/graphics/backdoor.optixpro.10.c.2.gif<<=== NOTE: Modify this key.

        2. In the right pane, double-click the (Default) value.
        3. Delete the current value data, then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk).

        NOTES:
        • On Windows 95/98/Millenium/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

          ""%1" %*"
        • On Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

          "%1" %*
        • Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document and make sure that you completely remove the current value data.
        4. Navigate to each of the keys:

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunServices

        NOTE: Both keys may not be found on all the operating systems.

        5. For each of the keys in step 4, in the right pane, delete any value that refers to C:\%system%\netupd.exe.
        6. Exit the Registry Editor.

    Editing the System.ini and Win.ini files (Windows 95/98/Millenium only)


    • 1. Click Start, then click Run.
      2. Type the following:

      edit c:\windows\system.ini

      Then click OK.

      (The MS-DOS Editor opens.)

      NOTE: If Windows is installed in a different location, make the appropriate path substitution.

      3. In the [boot] section of the file, look for an entry similar to:

      shell=Explorer.exe <the Trojan file name>

      4. Delete all the text (on the shell=Explorer.exe line only) to the right of Explorer.exe. When you have finished, the line should read:

      shell=Explorer.exe

      5. Click File, click Exit, then click Yes when you are prompted to save the changes.
      6. Click Start, then click Run.
      7. Type the following:

      edit c:\windows\win.ini

      Then click OK.

      (The MS-DOS Editor opens.)

      NOTE: If Windows is installed in a different location, make the appropriate path substitution.

      8. In the [windows] section of the file, look for an entry that is similar to:

      run=<the Trojan file name>

      9. Delete all the text (on the run= line only) to the right of run= . When you have finished, the line should read: run=

      10. Click File, click Exit, then click Yes when you are prompted to save the changes.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It's a nastie one indeed. Guess which AV has covered it before your all time favorite? :D

    regards,

    paul
     
  3. controler

    controler Guest

    Yes indeed this is an OLD trojan maker. I think I still have that
    sample around here some place.
    As I said this before. Many AV makers don't believ the actual trojan making file is important. They only think they should catch the created files.
    BTW with this trojan maker you decide what port you want to use.
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Hehe this 'variant' is packed with tELock: are you sure NOD32 is detecting it? :D
     
  5. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    VSantivirus: Troj/Backdoor.OptixPro.10.c

    Troj/Backdoor.OptixPro.10.c. Troyano of remote access
    http://www.vsantivirus.com/back-optix10c.htm

    Name: Troj/Backdoor.OptixPro.10.c
    Type: Trojan horse of remote access
    Aloas: Backdoor.OptixPro.10.c
    Date: 3/ene/03
    Size: 407.552 bytes
    Platform: Windows 32-bits
    Port: 3410

    This Trojan horse, written in Borland Delphi, and compressed with the utility tElock, allows to an attacker the nonauthorized access to the infected computer. By defect, this troyano opens port TCP 3410 to receive you order them remote.

    The information that robs the troyano, it is intercepted by means of the capture of the keying by the victim and jeopardizes his security and privacy seriously.

    When the troyano is executed for the first time, it shows a window of messages with the following text:

    Error
    Invalid codec detected, possible corrupt mpg
    [ OK ]

    Soon, copy to if same in the following location:
    C:\Windows\System\netupd.exe

    "C:\Windows\System" can vary according to the installed operating system (with that name by defect in Windows 9x/ME, like "C:\WinNT\System32" in Windows NT/2000 and "C:\Windows\System32" in Windows XP).

    It adds the reference to the value "C:\Windows\System\netupd.exe" to these branches of the registry of Windows, which will do that autoejecute in each resumption of the computer:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    It creates the following file, that contains the code of the troyano:

    C:\Windows\Wmmiexe.exe

    The troyano locates the folder of installation by defect of Windows (C:\Windows or C:\Winnt), and uses it as folder destiny for its unloadings.

    Soon it changes to the association by defect to the archives EXE, so that it forces to that the virus executes itself before the utility or programs including antivirus.

    HKLM\Software\CLASSES\exefile\shell\open
    ommand
    (Predetermined) = wmmiexe.exe "%1" % *

    If the operating system is Windows 95, 98 or Me, the troyano modifies archives SYSTEM.INI and WIN.INI, adding the following thing:

    In System.ini:
    [ boot ]
    Shell = Explorer.exe C:\Windows\System\netupd.exe

    In Win.ini:
    [ Windows ]
    Run = C:\Windows\System\netupd.exe

    The troyano also tries to deshabilitar most of the antivirus and fire-resistant known which they are being executed in the memory of the infected computer, finalizing its processes.

    Also it tries to accede to the cache of passwords of the local computer. This cache contains passwords of telephone accesses to Internet, access to deprived sites, etc.

    It also installs hooks (hooks), in a chain of hooks, to monitorear the system awaiting any pressed key or movement of the leader of the mouse.

    The troyano informs into its presence in the computer infected by means of the electronic mail. Soon the delay has left of you order respective from the part client, the program that the attacker controls to obtain the access and other facilities in the infected computer.

    The received commandos will allow to an attacker anyone of the following actions:


    • To send information of the infected system, including passwords, names of user, etc.
      To rob information of access to services like AOL Instant Messenger.
      To control the installation of other characteristics of the own troyano.
      To unload, to raise, to execute, to erase and to modify archives. Also to change its attributes.
      To erase folders, to modify its attributes.
      To change the page of beginning of the Internet Explorer.
      To print text, to execute archives multimedia, to open or to close the tray of the CD, to qualify or to deshabilitar the keyboard and the mouse, to catch and to extinguish the monitor, to emit beeps, to extinguish the computer, etc.
      To hang to Windows with a well-known vulnerability that Windows 95 affects, 98 and Me.

    In order to eliminate the troyano of an infected system

    First file REGEDIT.EXE like REGEDIT.COM must renombrar, since the extension EXE is associate to the troyano, and this one would become to load if we executed REGEDIT in normal form.


    • 1. Execute an updated antivirus and you write down the detected archives of the troyano

      2. From Beginning, To execute, keys in the following thing (it can use to cut and to beat) and presses Enter:
      Command/c Rename C:\Windows\Regedit.exe Regedit.com
      If Windows is not installed in C:\WINDOWS, must change this reference (Ej: C:\NOMBRE\REGEDIT.EXE, etc.).

      3. From Beginning, To execute, keys in REGEDIT.COM and presses Enter

      4. In the left panel of the publisher of registry of Windows, it punctures in sign "+" until opening the following branch:
      HKEY_LOCAL_MACHINE
      SOFTWARE
      Classes
      exefile
      shell
      they open
      command

      5. Puncture on the folder "command". In the panel of the right it would have to see something like:
      (Predetermined) = wmmiexe.exe "%1" % *

      6. Puncture on "(Predetermined)" and in Information of the value, must erase the name of the shipper (wmmiexe.exe) and leave single this (comiles, percentage, one, comiles, space, percentage, asterisk):
      "%1" % *

      7. In the left panel of the publisher of registry of Windows, it punctures in sign "+" until opening the following branch:
      HKEY_LOCAL_MACHINE
      Software
      Microsoft
      Windows
      CurrentVersion
      RunServices

      8. Puncture in the folder "RunServices" and in the panel of his right, it looks for and it erases the following entrance:
      C:\Windows\System\netupd.exe

      9. In the left panel of the publisher of registry of Windows, it punctures in sign "+" until opening the following branch:
      HKEY_LOCAL_MACHINE
      Software
      Microsoft
      Windows
      CurrentVersion
      Run

      10. Puncture in the folder "Run" and in the panel of his right, it looks for and it erases the following entrance:
      C:\Windows\System\netupd.exe

      11. Use "Registry", "To leave" to leave the publisher and to confirm the changes.

    To publish file WIN.INI and SYSTEM.INI


    • 1. From Beginning, To execute, keys in WIN.INI and presses Enter.

      2. Look for the following thing:
      [ Windows ]
      Run = C:\Windows\System\netupd.exe
      It must stay as:
      [ Windows ]
      Run =

      3. Record the changes and you leave the notepad.

      4. From Beginning, To execute, keys in SYSTEM.INI and presses Enter.

      5. Look for the following thing:
      [ boot ]
      Shell = Explorer.exe C:\Windows\System\netupd.exe
      and déjelo asi ':
      [ boot ]
      Shell = Explorer.exe

      6. Record the changes and you leave the notepad

      7. Reinitiate his computer (Beginning, To extinguish the system, To reinitiate).

    Additional information

    To show the true extensions of the archives

    In order to be able to see the true extensions of the archives and in addition visualize those with attributes of "Hidden", asi comes ':


    • 1. Execute the Explorer of Windows

      2. Select to the menu ' Ver' (Windows 95/98/NT) or the menu ' Herramientas' (Me/2000/XP Windows), and puncture in ' Opciones' or ' Options of carpetas'.

      3. Select the tongue-piece ' Ver'.

      4. IT UNMARKS the option "To hide extensions for the types of well-known archives" or similar.

      5. In Windows 95/NT, IT MARKS the option "To show to all the archives and hidden folders" or similar.

      In Windows 98, under ' Archives ocultos', MARKS ' To show all archivos'.

      In Me/2000/XP Windows, in ' Archives and folders ocultos', MARKS ' To show to all the archives and folders ocultos' and DISTANCING ' To hide to protected archives of the system operativó.

      6. Puncture in ' Aplicar' and ' Aceptar'.

    Cleaning of virus in Windows Me and XP

    If the installed operating system is Windows Me or Windows XP, to be able to correctly eliminate this virus of his computer, it will have to deshabilitar before any action, the tool "To recover system" as it is indicated in these articles:

    Cleaning of virus in Windows Me

    VSantivirus No. 499 - 19/nov/01
    http://www.vsantivirus.com/faq-winme.htm

    Cleaning of virus in Windows XP

    VSantivirus No. 587 - 14/feb/02
    http://www.vsantivirus.com/faq-winxp.htm

    (translation by AltaVista's BabelFish)
     
  6. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    It doesn't matter if NOD32 is not equipped with this unpacking engine. They only need to add tELock Pattern variant to their database. In this case KAV already detects this Trojan (without adding anything)!



    Technodrome
     
  7. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Yes I agree, KAV has the superior unpacker; NAV and NOD are weak in this area, and need improvement; which is why I asked Paul the question: unless NOD has added this new signature, it probably doesn't detect this variant. ;) Peace my friend -- I will try to search the NOD site to see whether a new variant of OptixPro has been added recently. ;)
     
Loading...
Thread Status:
Not open for further replies.