BKDR_OPTIXPRO.12

Malware type: Backdoor

Aliases: Backdoor.Win32.Optix.Pro.10 (Kaspersky), Backdoor.OptixPro.13 (Symantec), BDS/Optix.Gen (Avira), Troj/OptixPr-12 (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000 and XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This backdoor malware has a server program that infects target systems and a client program that is used to access and manipulate the infected system. It also has a server editor program that enables a an attacker to modify server settings.

Upon execution, it displays an error message that varies, depending on the configurations that was set by the malicious user. An example is shown below:

BKDR_OPTIXPRO.12 displays an error message with the title Error and message General Protection Fault at address 0x00000009

This malware compromises network security by allowing malicious users to connect to a port and gain unauthorized access to a remote system. The malicious user can do the following to the compromised system:

  • Switch the monitor on and off
  • Open or close the CD-ROM drive
  • Play media files
  • Print text
  • Change desktop wallpaper
  • Hide icons, buttons, the system tray, and the taskbar
  • Install an FTP server
  • Download and execute files

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Oct. 10, 2002 6:56:50 PM GMT -0800
Description updated: Mar. 29, 2005 9:54:55 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 907,776 Bytes

Initial samples received on: Oct 10, 2002

Payload 1: Compromises network security

Trigger condition 1: Windows startup

Details:

Server component

Upon execution, the backdoor program displays an error message that varies, depending on the configurations that was set by the malicious user, using the server editor component. An example is shown below:

BKDR_OPTIXPRO.12 displays an error message with the title Error and message General Protection Fault at address 0x00000009

It then creates a copy of itself either in the Windows directory or the Windows system folder, using a variable name.

By default, the server component opens TCP port 3410, where it listens for commands from a remote user using the client component. It notifies the client side using either ICQ pager or email. It also attempts to terminate the following processes that are mostly antivirus applications and firewall programs:

  • McAfee Firewall
  • vsmon
  • sminilog
  • BlackICE
  • NISUM
  • NISSERV
  • ZONEALARM.EXE
  • ZAPRO.EXE
  • MINILOG.EXE
  • VSMON.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • NISUM.EXE
  • NISSERV.EXE
  • NMAIN.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • CPD.EXE
  • CPDCLNT.EXE
  • GUARDDOG.EXE
  • FRW.EXE
  • PERSFW.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • SPHINX.EXE
  • NPROTECT.EXE
  • NDD32.EXE
  • SMC.EXE
  • NETUTILS.EXE
  • LDNETMON.EXE
  • PORTMONITOR.EXE
  • CONNECTIONMONITOR.EXE
  • navapsvc
  • NVSVC32
  • NAVAP
  • NAVENG
  • NAVEX15
  • NAV Auto-Protect
  • SymProxySvc.exe
  • SweepNet
  • SWEEPSRV.SYS
  • McShield
  • AvSynMgr
  • AVSync Manager
  • AvgServ
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • AVP.EXE
  • AVP32.EXE
  • NAVAPW32.EXE
  • RTVSCN95.EXE
  • DEFWATCH.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • POPROXY.EXE
  • NAVAPSVC.EXE
  • ALERTSVC.EXE
  • NAVLU32.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NPSSVC.EXE
  • LUALL.EXE
  • SWNETSUP.EXE
  • ICLOAD95.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICLOADNT.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • ADVXDWIN.EXE
  • PADMIN.EXE
  • NWTOOL16.EXE
  • NTVDM.EXE
  • ANTS.EXE
  • ANTI-TROJAN.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • CLEANER3.EXE
  • CLEANER.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • MOOLIVE.EXE
  • MGHTML.EXE
  • MCMNHDLR.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MCSHIELD.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • ALOGSERV.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • AVCONSOL.EXE
  • VSSTAT.EXE
  • SYMTRAY.EXE
  • VSCHED.EXE
  • MCTOOL.EXE
  • CMGRDIAN.EXE
  • AVXW.EXE
  • AVXMONITORNT.EXE
  • AVXMONITOR9X.EXE
  • AVXQUAR.EXE.EXE
  • AMON9X.EXE
  • AVGSERV.EXE
  • AVGW.EXE
  • AVGCC32.EXE
  • IOMON98.EXE
  • WEBTRAP.EXE
  • PCCWIN98.EXE
  • PCCIOMON.EXE
  • POP3TRAP.EXE
  • TDS-3.EXE
  • SS3EDIT.EXE
  • DOORS.EXE
  • JEDI.EXE
  • MONITOR.EXE
  • RAV7WIN.EXE
  • RAV7.EXE
  • SWEEP95.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • ntrtscan.EXE
  • pccwin97.EXE
  • pccntmon.EXE
  • pcscan.EXE
  • Nui.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • NORMIST.EXE
  • NVC95.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • AUTODOWN.EXE
  • VET32.EXE
  • ETRUSTCIPE.EXE
  • MWATCH.EXE
  • EFPEADM.EXE
  • EVPN.EXE
  • RESCUE.EXE
  • AVKSERV.EXE
  • ACKWIN32.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • F-AGNT95.EXE
  • F-PROT95.EXE
  • EXPERT.EXE
  • FP-WIN.EXE
  • F-STOPW.EXE
  • VIR-HELP.EXE
  • F-PROT.EXE
  • SPYXX.EXE
  • ATWATCH.EXE
  • ATUPDATER.EXE
  • ATCON.EXE
  • PVIEW95.EXE
  • WGFE95.EXE
  • AVGCTRL.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • GENERICS.EXE
  • PROCESSMONITOR.EXE
  • PROGRAMAUDITOR.EXE
  • AVSYNMGR.EXE
  • GUARD.EXE
  • TFAK.EXE
  • LUCOMSERVER.EXE
  • WIMMUN32.EXE
  • AutoTrace.exe
  • NWService.exe
  • NTXconfig.exe
  • NeoWatchLog.exe
  • NSCHED32.EXE
  • WATCHDOG.EXE
  • ISRV95.EXE
  • REALMON.EXE
  • AVWINNT.EXE
  • AVGSERV9.EXE
  • avkpop.exe
  • avkservice.exe
  • avkwctl9.exe
  • fsav32.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • sbserv.exe
  • apvxdwin.exe
  • gbpoll.exe
  • gbmenu.exe
  • pavproxy.exe
  • VbCons.exe
  • vbcmserv.exe
  • Avgctrl.exe
  • Avsched32.exe

Client Component

A remote user can perform any of the following on the infected machine using the client component:

  • Switch the monitor on and off
  • Open or close the CD-ROM drive
  • Play media files
  • Print text
  • Change desktop wallpaper
  • Hide icons, buttons, the system tray, and the taskbar
  • Install an FTP server
  • Download and execute files

The Graphical User Interface (GUI) of the client component is illustrated below:

BKDR_OPTIXPRO.12 displays the Graphical User Interface of the client program

Server Editor Component

The server editor component of this malware is used to configure the settings of the server component. Below is the GUI of the server editor component:

BKDR_OPTIXPRO.12 displays the Graphical User Interface of the server editor program

The malicious user can use this editor program to configure the following features of the server component:

  • File name of the Server after installation
  • Autorun registry/Startup method to use
  • Port to open
  • Notification
  • Option to terminate Firewall and Antivirus processes
  • Password protect the Server
  • Compress the Server
  • Fake Error Messages

Registry Modifications

The malware creates an autorun entry using a variable registry value and data. All of these can be configured using the server editor program:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
<variable value> = <variable data>

Examples of autorun entries it creates in the registry would be similar to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Plob = %Windows%\kernel.com

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
Plob = %System%\kerneli.com

(Note: %Windows% refers to the Windows folder which is usually C:\Windows for Windows 95, 98, ME and XP systems and C:\WINNT for Windows NT and 2000 systems. %System% refers to the Windows system folder is usually C:\Windows\System for Windows 95, 98 and ME systems, C:\Windows\System32 for Windows XP systems, and C:\WINNT\System32 for Windows NT and 2000 systems.)

Other Details

This backdoor malware was written and compiled in Borland Delphi.

Revision History:

First pattern file version: 2.352.01
First pattern file release date: Oct 10, 2002

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 4.573.00

Pattern release date: Jul 1, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as BKDR_OPTIXPRO.12. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.
  6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_OPTIXPRO.12. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.