Symantec Security Response - Backdoor.Mapsy Backdoor.Mapsy is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens and listens on port 6754. Backdoor.Mapsy is packed with UPX v1.21. Also Known As: Backdoor.IRC.Mapsy [KAV], BackDoor-AMI [McAfee], BKDR_IRCMAPSY.A [Trend] Type: Trojan Horse Infection Length: 325,120 bytes Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux technical details When Backdoor.Mapsy runs, it performs the following actions: It copies itself as SysMap.exe into the %system% folder. It drops a file named SysMap.dll (31,232 bytes) into the %system% folder. This file is detected by Symantec antivirus products as PWS.Hooker.Trojan. NOTE: %system% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32) and uses it as a destination folder. The Trojan creates the value Microsoft® System Mapper %system%\SysMap.exe in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the Trojan starts when you start Windows. If the operating system is Windows 95/98/Millenium, then the Trojan registers itself as a service process to continue to run after the user logs off. Also, the Trojan installs hook procedures into a hook chain to monitor the system for keyboard and mouse messages. This permits Backdoor.Mapsy to intercept keystrokes. The Trojan uses ICQ pager to notify the client side. After Backdoor.Mapsy is installed, it awaits commands from the remote client through IRC channels. The commands allow the hacker to perform the following actions: Enumerate processes and active windows Capture the contents of the screen as a JPEG image file Deliver other system information to the hacker Install an FTP server, which allows the hacker to use the infected computer as a temporary storage device Open or close the CD tray and perform other annoying actions Intercept confidential information by hooking keystrokes removal instructions NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. Do the following to remove the Backdoor.Mapsy Trojan: 1. Update the virus definitions. 2. Do one of the following: Windows 95/98/Millenium: Restart the computer in Safe mode. Windows NT/2000/XP: Stop the Trojan process. 3. Run a full system scan, and delete all files that are detected as Backdoor.Mapsy. 4. Reverse the changes that the Trojan made to the registry. To reverse the changes that the Trojan made to the registry: 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read document How to make a backup of the Windows registry for instructions. 3. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the following value: Microsoft® System Mapper %system%\SysMap.exe 5. Exit the Registry Editor.