Symantec Security Response - Backdoor.OptixPro.10.c The Backdoor.OptixPro.10.c Backdoor Trojan is a variant of Backdoor.OptixPro.10. It allows an attacker unauthorized access to an infected computer. By default, the Backdoor Trojan opens TCP port 3,410 on the infected computer. This threat is written in the Borland Delphi programming language and is compressed with tElock. Type: Trojan Horse Infection Length: 407,552 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, OS/2, Unix, Linux technical details When Backdoor.OptixPro.10.c runs, it does the following: 1. Displays this message: http://securityresponse.symantec.com/avcenter/graphics/backdoor.optixpro.10.c.1.gif 2. Copies itself as C:\%System%\netupd.exe. NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that particular location. By default, this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 3. May add a value that refers to the Netupd.exe file in the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices so that the Trojan starts each time you start Windows. 4. Creates the file %Windir%\Wmmiexe.exe, which the Symantec antivirus products detect as a Trojan Horse. NOTE: %Windir% is a variable. The Trojan locates the primary Windows installation folder (by default, this is C:\Windows or C:\Winnt) and uses it as a destination folder. 5. In the registry key HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command the Trojan changes the (Default) value to wmmiexe.exe "%1" %* This causes the Trojan to run when you run an .exe file. 6. If the operating system is Windows 95/98/Millenium, the Trojan may modify the System.ini and append itself to the shell=Explorer.exe line in the [boot] section, as the following: [boot] Shell=Explorer.exe C:\%system%\netupd.exe 7. If the operating system is Windows 95/98/Millenium, it may append itself to the Run= line in the [windows] section of the Win.ini file: [windows] Run=C:\%system%\netupd.exe 8. Attempts to disable some antivirus and firewall programs by ending their processes. 9. Attempts to obtain access to the password cache on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and so on. Backdoor.OptixPro.10.c inventories established RAS connection details to authenticate its access to the remote access server. 10. Installs hook procedures into a hook chain to monitor the system for any keyboard and mouse messages. The keyboard and mouse hook procedures process the messages and pass the hook information to the next hook procedure in the current hook chain. This permits Backdoor.OptixPro.10.c to intercept keystrokes. 11. Notifies the client side through email. After Backdoor.OptixPro.10.c is installed, it waits for commands from the remote client. The commands allow the hacker to perform any of the following actions: Deliver system and network information to the hacker, including login names and cached network passwords. Steal login details of AOL Instant Messenger. Manage the installation of the Backdoor Trojan. Download/Upload/Execute/Delete files, modify the attributes of files. Remove folders, modify the attributes of folders. Change the Internet Explorer start page to the hacker's choice. Print text, play media files, open/close the CD-ROM drive, disable/enable keyboard or mouse, turn on/off monitor, beep, shut down the machine, and so on. Use a known vulnerability in Windows 95/98/Millenium to cause the system to crash. removal instructions NOTE: These instructions are for all the current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. 1. Reverse the changes that the Trojan made to the registry. 2. Update the virus definitions. 3. Do one of the following: Windows 95/98/Millenium: Restart the computer in the Safe mode. Windows NT/2000/XP: Stop the Trojan process. 4. Run a full system scan and delete all the files detected as Backdoor.OptixPro.10.c or Trojan Horse. 5. For Windows 95/98/Millenium only: Restore the shell= line in the System.ini file and restore the run= line in the Win.ini file. For details on how to do this, read the following instructions. Reversing the changes the Trojan made to the registry Because the Trojan modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file. Making a copy of the Registry Editor 1. Do one of the following, depending on which version of Windows you are running: Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section. Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section. Windows NT/2000: a. Click Start, then click Run. b. Type command, then press Enter. (A DOS window opens.) c. Type the following: cd \winnt Then press Enter. d. Go to step 2 of this section. Windows XP: a. Click Start, then click Run. b. Type command, then press Enter. (A DOS window opens.) c. Type the following: cd\ cd \windows Then press Enter after typing each one. d. Proceed to step 2 of this section. 2. Type the following: copy regedit.exe regedit.com Then press Enter. 3. Type the following: start regedit.com Then press Enter. The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window. Editing the registry CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 1. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey. Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure: http://securityresponse.symantec.com/avcenter/graphics/backdoor.optixpro.10.c.2.gif<<=== NOTE: Modify this key. 2. In the right pane, double-click the (Default) value. 3. Delete the current value data, then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk). NOTES: On Windows 95/98/Millenium/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*" On Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this: "%1" %* Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document and make sure that you completely remove the current value data. 4. Navigate to each of the keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices NOTE: Both keys may not be found on all the operating systems. 5. For each of the keys in step 4, in the right pane, delete any value that refers to C:\%system%\netupd.exe. 6. Exit the Registry Editor. Editing the System.ini and Win.ini files (Windows 95/98/Millenium only) 1. Click Start, then click Run. 2. Type the following: edit c:\windows\system.ini Then click OK. (The MS-DOS Editor opens.) NOTE: If Windows is installed in a different location, make the appropriate path substitution. 3. In the [boot] section of the file, look for an entry similar to: shell=Explorer.exe <the Trojan file name> 4. Delete all the text (on the shell=Explorer.exe line only) to the right of Explorer.exe. When you have finished, the line should read: shell=Explorer.exe 5. Click File, click Exit, then click Yes when you are prompted to save the changes. 6. Click Start, then click Run. 7. Type the following: edit c:\windows\win.ini Then click OK. (The MS-DOS Editor opens.) NOTE: If Windows is installed in a different location, make the appropriate path substitution. 8. In the [windows] section of the file, look for an entry that is similar to: run=<the Trojan file name> 9. Delete all the text (on the run= line only) to the right of run= . When you have finished, the line should read: run= 10. Click File, click Exit, then click Yes when you are prompted to save the changes.