|
Summary of W32/Russkienet.A |
| Length: |
25.632 bytes |
| Discovered: |
22 May 2003 |
| Definition files: |
22 May 2003 |
| Risk Level: |
Low |
| Distribution: | Low |
| Payload: |
Compromises system security by allowing un-authorized access to it |
|
|
|
| Brief Description |
The W32/Russkienet.A is an IRC-related backdoor. Its main purpose is to provide un-authorized access to compromised systems from remote location. The backdoor creates the following registry key, to ensure that its run on each startup:
Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Value: "Service"="path_to_backdoor\filename.exe" where filename is the original filename.
It attempts to connect to an remote IRC server under a random name, and sits there listening for commands to carry out. Those commands include retreival and execution of programs from remote location along with denial-of-service attack functions. |
| Technical Description |
The W32/Russkienet.A is a backdoor, with the size of 25.632 bytes. Written in C++, its main purpose is to provide un-authorized access to compromised systems from remote location. After the standard initialization routine, the backdoor creates the following registry key, to ensure that its run on each startup:
Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Value: "Service"="path_to_backdoor\filename.exe" where filename is the original filename.
The backdoor hides itself from appearing in the "Close Program" dialog on Microsoft Windows 9x system, by registering itself as a service process.
The Russkienet.A is an IRC controlled backdoor, with the vast majority of its function carried out by the IRC component of this backdoor. It generates a random 9 character long strings which it uses both for the user-name as well as other needed information when attempting to join a remote IRC server. The servers location do vary between samples of this backdoors, however majority seems to be bound to countries in E-Europe (Kroatia and Russia to name a few).
If the connection is successfully made, it registers the client invisible on the IRC-network as well as using a feature to partially hide the IP address from /dns and /whois queries. The client joins a pre-defined channel and sits there listening for remote commands.
The IRC component, includes command parsing for various commands. They include download of files from remote location through http-connections along with the execution of those programs on the local system. This backdoor has built in denial-of-service attack functions, including:
- ICMP flooding
- SYN packet flood
- TCP PUSH-flag packet flood
- Various IRC related attacks
Depending on the user priviledges on the system, some of those functions might not work. |
Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International |
|
