|
Summary of W32/Dnsx.A |
| Length: |
57.344 bytes |
| Discovered: |
31 Mar 2003 |
| Definition files: |
1 Apr 2003 |
| Risk Level: |
Low |
| Distribution: | Low |
| Payload: |
Compromises the system security by allowing unauthorized access to the affected system. |
|
|
|
| Brief Description |
The Dnsx.A is a backdoor. The uncompressed body has the constant size of 57.344 bytes. When run the backdoor copies itself under a random name with an .exe extension under the
[system_directory]\System32\[random_name].exe
The backdoor creates the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
with the following value:
"WinDSNX"="[path_of_system_directory]\System32\[random_filename].exe"
After this the backdoor stays in memory, attempting to resolve a DNS address and following that attempts a connection to a remote server. This backdoor has all the standard components of an IRC-controlled backdoor along with being able to communicate through the HTTP protocol. |
| Technical Description |
The Dnsx.A is a Win32 executable written in Visual C++, it's uncompressed with the
constant size of 57.344 bytes. After the standard initialization routine, the file retreives the current system directory
and places an identical copy of itself there, under a filename depending on the
outcome of a semi-random function within the backdoors body. The copy is identical and comes with an executable extension (.exe).
It then creates a registry key as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
with the following value:
"WinDSNX"="[path_to_system_directory]\System32\[random_filename].exe"
After this routine the backdoors executes the copy it dropped under the windows system directory.
It then exists leaving the copy running as a process in memory. When the copy is executed, it initializes
WinSock and creates a thread to handle the network activity, which amongst other things includes resolving a DNS name of
a remote IRC server and attempting a connection to that server.
Another thread is created which handles the task of opening a standard TCP socket connection listening on port 113, from which most of the traffic is generated.
This backdoor although similar to many other IRC related backdoors, has additional components. It is able to use pipes to redirect the ports it's communicating through as an possible mean to bypass packet-filtering firewalls. It's also able to communicate through the HTTP protcol. |
Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International |
|
