Backdoor.Servu
Analysis
- Trojan is installed onto a system such as a web
server running IIS or SQL – the installation
is intention and manual and done by a hacker and most
probably through a common exploit, or if the system
is already compromised by an existing remote access
Trojan
- Trojan package includes two initial files and one
application – the Trojan components are install.bat
and distro.zip, and the application pkunzip.exe is
included
- Once a system has been compromised, the package
is copied manually to the (Windows)\Fonts folder,
and the batch file install.bat is initiated remotely
in order to install the Trojan
- The batch file install.bat uses pkunzip.exe which
was also copied with it to unzip the package distro.zip
– all files will unpack into the current folder
- When install.bat is initiated, it may display all
of its instructions to the console and includes the
following text messages –
-=Juaking Your Fucking NT/2k/XP=-
###DONE! ENJOY###
- The package includes a program named “mata.exe”
which may be known as an application called “PSKill”
from Sysinternals.com – mata is used to terminate
running processes prior to the installation and initiation
of the remote access Trojan component
- All installed files are set to hidden file attributes
- Finally install.bat initiates the server by using
“net start”
- The package distro.zip contains several executables
including the main remote access component “tcpvcs32.exe”
- The purpose of the installation of the Trojan is
operate as a hidden FTP server for hackers to communicate
and transfer files – the Trojan also attempts
to allow access to the drives C through I if mapped
locally to the compromised system
- The components of the distro.zip package include
the following –
12/26/02 0:20 930 button.gif
12/26/02 0:15 28,035 crc.exe
8/19/02 23:46 57,856 filter.dll
8/19/02 23:46 105 filter.ini
5/04/01 13:58 114,688 fp.exe
5/24/02 16:48 8,192 HideRun.exe
8/07/02 23:05 84,992 HOPlug.dll
7/07/02 16:19 932 Leiste.txt
11/03/02 15:57 77,824 mata.exe
10/25/01 4:26 34,304 muestra.exe
6/02/02 19:53 199 News.txt
12/20/00 11:43 40,960 psd.exe
10/02/02 22:51 61,440 pv.exe
10/08/02 23:03 158,720 sendbot.exe
12/25/02 23:28 326 sendbot.ini
8/20/02 0:07 7,680 ServuEvent.dll
8/19/02 23:48 120 ServuEvent.ini
12/24/02 0:46 209 start.ini
8/19/02 23:48 50,688 T-EXEC.DLL
11/05/02 23:27 109 T-EXEC.INI
11/07/02 11:27 548,352 tcpvcs32.exe
10/08/02 23:03 183,808 vgadisp.exe
4/20/02 18:46 18,432 wordpad.exe
- The Trojan may run as the process name “Service
Cersrv Vhost”