|
|
Backdoor.JavaUpdate Trojan Information
| Name: |
Backdoor.JavaUpdate |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
Backdoor.JavaUpdate is a backdoor program that allows a remote attacker to download and execute files on an infected machine.
When Backdoor.Jupdate is executed, it performs the following actions:
Copies itself as the following, with a random file name made up of four to eight lowercase characters:
%System%[random name].exe
%System%[random name].dat (text file)
Note: %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"JavaUpdate0.07"="%system%[dropped filename]"
to the registry key:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
so that the Trojan is executed every time Windows starts.
Attempts to terminate the following security-related processes:
ccapp.exe
smc.exe
zlclient.exe
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
AVP32.EXE
Listens on a random TCP port to wait for commands from a remote attacker. This will allow the attacker to download and run files on the infected machine.
|
| Signatures:
|
process: random.exe: MD5 Hash: e91e3e582cbbe0d709f.. |
| Type: |
Trojan - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy. |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 408 visits
Enable Regedit - 191 visits
Java.ClassLoader.Dummy.d - 182 visits
Trojan.BankerSpy - 176 visits
RBot.steam - 85 visits
Startup.NameShifter.Xgtray - 76 visits
Tro.Bagle.SP - 58 visits
Trojan.BHO.NameShifter.EZ - 54 visits
LRPatch Trojan - 54 visits
Tro.YourStartingPage - 53 visits
Random Trojan Pages:
QFat4 Trojan - Alias: Loader Rizzo, QZap104
Poetry
Trojan.Startup.NameShifter.CV
SpyBoter.isass32 - Alias: Backdoor:Win32/Spyboter.DR
VBS.Over
Avir Trojan
Sharecom - Alias: Disable.mp, Trojan.Sharecom
Trojan.Startup.NameShifter.BI
Sys.602.Batch
VB.AL
|
|
