BKDR_RIZO.CG

Malware type: Backdoor

Aliases: Backdoor.Win32.Rizo.o (Kaspersky), Generic BackDoor (McAfee), W32.Spybot.Worm (Symantec), BDS/Rizo.O (Avira), VirTool:Win32/DelfInject.gen!T (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

A backdoor program is a Trojan specifically designed to allow malicious users to remotely manipulate affected systems. Like all Trojans, backdoors do not automatically propagate. They are either installed inadvertently by unsuspecting users or intentionally by malicious users.

Backdoors, like other Trojans, typically modify system settings to automatically start. Users may need to terminate backdoors before they can be deleted. Also, restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: Dec. 15, 2007 1:41:50 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 45,568 Bytes

Initial samples received on: Nov 29, 2007

Details:

Arrival Details

This backdoor is dropped by other malware.

It can also be downloaded unknowingly by a user when visiting malicious Web sites.

Installation

This backdoor drops the following copy of itself:

  • %System%\Offlce.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Techniques

This backdoor creates the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
OfficeWord Monitors = "%System%\Offlce.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
OfficeWord Monitors = "%System%\Offlce.exe"

Other System Modifications

This backdoor modifies the following registry entry to disable the DCOM protocol:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

It modifies the following registry entry as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "1"

Other Details

This backdoor connects to the following URLs:

  • http://{BLOCKED}l.radioks.net/ma.exe - inaccessible as of this writing
  • http://www.{BLOCKED}ite.net/md.exe - copy of itself

Revision History:

First pattern file version: 4.855.00
First pattern file release date: Nov 29, 2007

SOLUTION


Solution:



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.