BKDR_NETDEVIL.12

Malware type: Backdoor

Aliases: Backdoor.Win32.NetDevil.12 (Kaspersky), BackDoor-RP.svr (McAfee), Backdoor.NetDevil (Symantec), BDS/Netdevil.14.Srv (Avira), Troj/Bdoor-RP (Sophos), Backdoor:Win32/Netdevil (Microsoft)

In the wild: No

Destructive: No

Platform: Windows 9x/ME

Encrypted: No

Overall risk rating:

Description: 
This backdoor program utilizes a server and client component to control a target machine. It compromises network security by enabling remote access.

This backdoor malware has the following features:

  • log keystrokes made on the target system
  • steal passwords
  • edit the registry
  • issue destructive batch scripts

For additional information about this threat, see:

Description created: Aug. 13, 2002 3:51:31 AM GMT -0800
Description updated: Aug. 13, 2002 5:52:45 AM GMT -0800


TECHNICAL DETAILS


Size of malware: Server - 238,594 Bytes
Client - 1,079,296 Bytes

Initial samples received on: Apr 24, 2002

Payload 1: Log keystrokes

Trigger condition 1: Upon execution

Details:

Server Component

Upon execution, the server component installs itself on the target system by creating a copy of itself as ADVAPI.EXE in the Windows System directory.

It then creates this registry entry to enable the automatic execution of its copy at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run,
advapi = %System%\ADVAPI.EXE

*%System% is the Windows system directory, which is usually C:\Windows\System or C:\Windows\System32.

Upon installation on the target machine, the server component enables the client component to connect to the target system by giving its location, specifying the IP address of the target system.

By default, it opens and listens to port 901, which serves as the backdoor channel. Upon connection, it then waits for the client component to issue commands.

Client Component

Upon execution, the client component displays its GUI (Graphical User Interface). This GUI contains the following information:
  • IP address of the target system
  • port number
  • main features of the backdoor (e.g., screen capture, keylogger, etc.)

It can then perform the following actions on the target system:

  • log keystrokes
  • steal passwords
  • retrieve address book
  • manage files
  • control window/process
  • spy using webcam
  • issue batch scripts
  • play around with the user by sending messages, toggling some windows setup and configuration (e.g., mouse button, task bar, open cd rom drive, etc)
  • edit system files (e.g., AUTOEXEC.BAT, CONFIG.SYS, WIN.INI, SYSTEM.INI, etc.)
  • run any executable file on target machine

This backdoor also creates its own directory named DOWNLOAD, which stores all downloadable files/information from the server, like key logs, password files etc.

It can also edit the target system's registry and create batch or script files. A malicious user can create or edit any batch file that contains destructive commands or instructions and save it on the target system or execute it right away.

For example, the configuration file, AUTOEXEC.BAT may be modified by adding a one line instruction. This may be a destructive instruction like format the hard disk before the machine starts.

Another dangerous feature of this malware is its ability to browse and execute any application on the target machine.

A malicious user may also configure server settings using this backdoor program's server editor component to have the following features:

  • startup entries
  • CGI notification
  • ICQ notification
  • email notification
  • fake error message

It uses this startup registry entry to enable its automatic execution when the system restarts:

HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run advapi = %System%\ADVAPI.EXE

%System% refers to the System folder, which is usually C:\Windows\System or C:\Windows\System32.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.270.00

Pattern release date: Apr 24, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:
Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs, locate the program:
    ADVAPI OR ADVAPI.EXE
  3. Select the program, then press either the End Task or the End Process button, depending on your version of Windows.
  4. To verify if the malware process has been terminated, close Task Manager then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective malware process termination procedure.

  1. Open Registry Editor. Click Start>Run, type REGEDIT then hit the enter key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is the malware path and filename :
    advapi = %System%\ADVAPI.EXE
    *%System% refers to the System folder, which is usually C:\Windows\System or C:\Windows\System32.
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_NETDEVIL.12. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.