FRISK Software International


Summary of W32/Russkienet.A
Length: 25.632 bytes
Discovered: 22 May 2003
Definition files: 22 May 2003
Risk Level: Low
Distribution:Low
Payload: Compromises system security by allowing un-authorized access to it
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Russkienet.A is an IRC-related backdoor. Its main purpose is to provide un-authorized access to compromised systems from remote location. The backdoor creates the following registry key, to ensure that its run on each startup:

Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Value: "Service"="path_to_backdoor\filename.exe" where filename is the original filename.

It attempts to connect to an remote IRC server under a random name, and sits there listening for commands to carry out. Those commands include retreival and execution of programs from remote location along with denial-of-service attack functions.


Technical Description
The W32/Russkienet.A is a backdoor, with the size of 25.632 bytes. Written in C++, its main purpose is to provide un-authorized access to compromised systems from remote location. After the standard initialization routine, the backdoor creates the following registry key, to ensure that its run on each startup:

Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Value: "Service"="path_to_backdoor\filename.exe" where filename is the original filename.

The backdoor hides itself from appearing in the "Close Program" dialog on Microsoft Windows 9x system, by registering itself as a service process.
The Russkienet.A is an IRC controlled backdoor, with the vast majority of its function carried out by the IRC component of this backdoor. It generates a random 9 character long strings which it uses both for the user-name as well as other needed information when attempting to join a remote IRC server. The servers location do vary between samples of this backdoors, however majority seems to be bound to countries in E-Europe (Kroatia and Russia to name a few).

If the connection is successfully made, it registers the client invisible on the IRC-network as well as using a feature to partially hide the IP address from /dns and /whois queries. The client joins a pre-defined channel and sits there listening for remote commands.

The IRC component, includes command parsing for various commands. They include download of files from remote location through http-connections along with the execution of those programs on the local system. This backdoor has built in denial-of-service attack functions, including:
  • ICMP flooding
  • SYN packet flood
  • TCP PUSH-flag packet flood
  • Various IRC related attacks
Depending on the user priviledges on the system, some of those functions might not work.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is