FRISK Software International


Summary of W32/Dnsx.A
Length: 57.344 bytes
Discovered: 31 Mar 2003
Definition files: 1 Apr 2003
Risk Level: Low
Distribution:Low
Payload: Compromises the system security by allowing unauthorized access to the affected system.
 
Jump to:
Brief description
Technical description

Brief Description
The Dnsx.A is a backdoor. The uncompressed body has the constant size of 57.344 bytes. When run the backdoor copies itself under a random name with an .exe extension under the

[system_directory]\System32\[random_name].exe

The backdoor creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

with the following value:
"WinDSNX"="[path_of_system_directory]\System32\[random_filename].exe"


After this the backdoor stays in memory, attempting to resolve a DNS address and following that attempts a connection to a remote server. This backdoor has all the standard components of an IRC-controlled backdoor along with being able to communicate through the HTTP protocol.


Technical Description
The Dnsx.A is a Win32 executable written in Visual C++, it's uncompressed with the constant size of 57.344 bytes. After the standard initialization routine, the file retreives the current system directory and places an identical copy of itself there, under a filename depending on the outcome of a semi-random function within the backdoors body. The copy is identical and comes with an executable extension (.exe). It then creates a registry key as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
with the following value:
"WinDSNX"="[path_to_system_directory]\System32\[random_filename].exe"


After this routine the backdoors executes the copy it dropped under the windows system directory. It then exists leaving the copy running as a process in memory. When the copy is executed, it initializes WinSock and creates a thread to handle the network activity, which amongst other things includes resolving a DNS name of a remote IRC server and attempting a connection to that server.
Another thread is created which handles the task of opening a standard TCP socket connection listening on port 113, from which most of the traffic is generated.
This backdoor although similar to many other IRC related backdoors, has additional components. It is able to use pipes to redirect the ports it's communicating through as an possible mean to bypass packet-filtering firewalls. It's also able to communicate through the HTTP protcol.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is