Backdoor.Netdex

Discussion in 'malware problems & news' started by Paul Wilders, Oct 16, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://wwx.two.com.ru, processes them and then sends the result back to that Web site...

    more

    URL changed into wwx - Forum Admin
     
  2. FanJ

    FanJ Guest

    Name: Troj/Netdex-A
    Aliases: Backdoor.Netdex
    Type: Trojan
    Date: 17 October 2002

    A virus identity file (IDE) which provides protection is
    available now from our website and will be incorporated into the
    December 2002 (3.64) release of Sophos Anti-Virus.

    At the time of writing Sophos has received no reports from users
    affected by this Trojan. However, we have issued this advisory
    following enquiries to our support department from customers.


    Description
    Troj/Netdex-A is a backdoor Trojan which allows unauthorised remote access to the computer. The Trojan is composed of several parts. When a user connects to an infected website the file BANNER.HTML may be run.

    BANNER.HTML drops and executes two files on the the victim's computer, A.COM and ZSHELL.JS. ZSHELL.JS is dropped in the Cookies folder. When this file is run it drops a BAT file to execute and delete A.COM. The BAT file is then also deleted. Finally ZSHELL.JS runs NETD.EXE which is created in the Windows Temp folder when A.COM is run. All communication to the remote server goes through NETD.EXE, which downloads the file INSTALL.PHP from the remote server.

    INSTALL.PHP creates the file REPOST.HTML and edits a registry entry to point to this file. It then runs NETD.EXE with a parameter to get SH.PHP.

    SH.PHP is the main Trojan script and runs NETD.EXE with an option to retreive the set of commands that the Trojan should execute. SH.PHP is then copied over ZSHELL.JS (NETD.EXE uses two files for input and output: it reads I.JS for input to send to the server and it writes the received data to O.JS. The new O.JS is copied over the old ZSHELL.JS to enable remote updating). The time zone synchronisation registry entries are modified to point to ZSHELL.JS so that it is periodically run.



    More information about Troj/Netdex-A can be found at
    http://www.sophos.com/virusinfo/analyses/trojnetdexa.html
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.