Other Name: .w

Behavior: Backdoor

Technical

This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 149170 bytes in size.

Installation



Process





The backdoor is able to conduct the following actions on the remote server:

   1. provide full access to files on the hard disk
   2. calculate a range of hashes for strings
   3. launch the command interpreter and bind its standard input/ output to a specific TCP port
   4. bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
   5. View the list of processes launched on the server
   6. execute random PHP code
   7. download/ upload files from/to the server
   8. search the server's hard disk for files with specific content
   9. manage mysql databases (view/ create/ edit databases/ tables)
  10. run shell commands
  11. scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
  12. delete the copy of itself from the server hard disk on command
  13. create a user account without password
  14. view active users in the system
  15. delete records of its own activity from Apache server logs

Patches


   1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
   2. Update your antivirus databases and perform a full scan of the computer.





____________________
The more you lose yourself in something bigger than yourself, the more energy you will have!!