BKDR_DAGGER.131

Malware type: Backdoor

Aliases: Backdoor.Win32.Dagger.131 (Kaspersky), BackDoor-MJ (McAfee), Backdoor.Trojan (Symantec), BDS/Dragg.131B.Srv (Avira), Troj/Dagger-131 (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This client program of a backdoor enables a hacker full access to and control over the system infected with the server program. It compromises network security.

For additional information about this threat, see:

Description created: Aug. 15, 2001 1:59:28 PM GMT -0800
Description updated: Mar. 26, 2002 6:05:08 AM GMT -0800


TECHNICAL DETAILS


Size of malware: Client=581,632 Bytes
Server=420,352 Bytes

Initial samples received on: Jun 3, 2001

Related toBKDR_DAGGER.140

Payload 1: (It compromises network security)

Trigger condition 1: Upon execution

Details:
This client program of a backdoor malware requires its user to enter the Internet Protocol (IP) address of the target computer, which is infected with the backdoor server program.

The hacker uses this client program, written in Delphi, to execute any or all of the folowing on the system infected with the server program:

  • Get System Information
  • Send pop up messages
  • Act as a mini file browser (this includes read and write access to the files of the server.)
  • Execute Files
  • Process Tool
  • Shutdown/Reboot/NetLogon the system
  • Enable/Disable Desktop
  • Enable/Disable Running Applications
  • Enable/Disable Closing Windows
  • Power off option for ATX systems
  • Turn On/Off Num/Caps/Scroll lock lamps
  • Set Mouse Location
  • Show/Hide Taskbar
  • Eject/Close CD Rom Drive
  • Turn Power Saving On/Off
  • Enable/Disable CTRL-ALT-DEL key combo
  • Get screen resolution
  • Determine the location of Windows directories

When the server component of this backdoor malware executes, it copies itself to a "VScan.EXE" file in the Windows System directory. It then creates a registry entry as follows so that it executes upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"WinVirusScan" "C:\Windows\System\VScan.exe"

Thereafter, it stays resident in memory as a service process so that it is not seen in the Task Manager that pops up when the infected user presses the Ctrl-Alt-Delete keys.

The server component waits for commands to execute and sends data at port 1386.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 0.897.00

Pattern release date: Jun 6, 2001


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

  1. Click Start>Run, type REGEDIT.EXE then hit the ENTER key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows
    >CurrentVersion>Run
  3. In the right panel, look for this registry value and then delete it:
    "WinVirusScan" "C:\Windows\System\VScan.exe"
  4. Close the Registry.
  5. Restart your system.
  6. Click Start>Run, type this:
    EXPLORER C:\WINDOWS\SYSTEM.
  7. Press the keys, Ctrl-F, then type VSCAN.EXE. Delete the file when found.
  8. Scan your system with Trend Micro antivirus and delete all files detected as BKDR_DAGGER.131. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.