TROJ_NCX99.A

Malware type: Trojan

Aliases: Backdoor.Win32.Ncx.b (Kaspersky), BackDoor-RQ (McAfee), Backdoor.Trojan (Symantec), BDS/NCX.A (Avira), Troj/Bdoor-RQ (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This Trojan a modified version of the NETCAT for NT tool, which is used for reading or writing data across network connections using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols. This modified version acts as a backdoor Trojan that allows a remote user access to the infected computer.

For additional information about this threat, see:

Description created: Jan. 23, 2001 5:55:11 AM GMT -0800


TECHNICAL DETAILS


Size of malware: ~31, 744 - 59, 392 Bytes

Initial samples received on: Nov 24, 2000

Payload 1: ( It Compromises Network Security )

Trigger condition 1: Upon Execution

Details:
This Trojan program is part of the demo program ceated by eEye Digital Security Team to show the exploits of Internet Information Server (IIS) in Windows NT. The team created a tool that runs the hacked version of NETCAT.EXE, which is NCX.EXE on an infected system.

The Trojan uses Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to connect to a target system. Upon connection, the Trojan displays the following on the screen of any remote user connected to the infected system.

X:\Code>telnet example.com 80

Microsoft (R) Windows NT (TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\>{You have full access to the system, happy browsing :)}

C:\>{Add a scheduled task to restart inetinfo in X minutes}

C:\>{Add a scheduled task to delete ncx.exe in X-1 minutes}

C:\>{Clean up any trace or logs we might have left behind.}

C:\>exit

After the program exits, it automatically deletes itself so that it is not traced.

This program is a slightly modified version of the popular NETCAT.EXE tool which was available only for UNIX systems, but was not ported to Windows NT. It embeds the command line parameters that expose port 99 of the infected server to incoming telnet sessions.

The backdoor Trojan listens to port 99 and gives an NT shell (prompt) to anyone who connects to the port. This enables remote users to browse through all the contents of an infected system, modify, read, and delete files.