BKDR_OPTXPRO.132

Malware type: Backdoor

Aliases: Backdoor.Optix.Pro.132, Bck/Sdbot.VV

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, NT, 2000, ME, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This backdoor malware provides the remote malicious user unauthorized access to the infected machine. Upon execution, it drops a copy of itself as the file name AL.EXE in the Windows system directory.

It uses its own Internet Relay Chat (IRC) service to connect to the IRC server. Once connected, it awaits for commands from the remote user to do malicious actions on the infected system.

This malware runs on Windows 95, 98, NT, ME, 2000, and XP.

For additional information about this threat, see:

Description created: Apr. 27, 2004 10:59:42 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 65,024 Bytes

Initial samples received on: Apr 27, 2004

Payload 1: Compromises network security

Details:

Installation and Autostart

Upon execution, this malware drops a copy of itself as the file name AL.EXE in the Windows system directory.

It also creates the following files in the Windows drectory, where the malware saves user keystrokes:

  • KEYLOG.TXT
  • XXX.TXT

This malware creates the following registry entries to ensure that it executes every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Synchronization Manager = �al.exe�

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Synchronization Manager = �al.exe�

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Synchronization Manager = �al.exe�

Backdoor Capabilities

This malware acts as an Internet Relay Chat (IRC) bot. It logs in to the IRC server frozen.attaq.net using the username #poo and the password mofo.

Once connected, it then awaits commands from a remote user to perform the following malicious actions on the infected system:

  • Log user keyboard inputs
  • List and terminate running processes
  • Delete, execute and download files
  • Display system information like the following
    • Current user
    • IP
    • Hostname
    • Windows directory
    • System directory



Analysis by: Arman Catacutan

Revision History:

First pattern file version: 1.872.05
First pattern file release date: Apr 27, 2004

SOLUTION


Minimum scan engine version needed: 6.500

Pattern file needed: 3.200.01

Pattern release date: Feb 7, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the process:
    AL.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.


*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    Microsoft Synchronization Manager �al.exe�
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry or entries:
    Microsoft Synchronization Manager �al.exe�
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry or entries:
    Microsoft Synchronization Manager �al.exe�
  8. Close Registry Editor.


NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Trend Micro customers must download the latest pattern file and scan their system. Then, delete all files detected as as BKDR_OPTXPRO.132. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.