Win32.DKS.E (Ca.com)
Win32.DKS.E (Ca.com)
Description Published: August 29, 2004
Description Modified: September 2, 2004
Category: Win32
Also known as: BackDoor-CGT (McAfee),
Win32/DKS.E.Trojan, Trojan.Win32.Genme.c (Kaspersky),
Backdoor.Xebiz (Symantec)
Description
Win32.DKS.E is a trojan that opens a SOCKS 5 proxy on an affected machine.
Method of Infection
When executed, Win32.DKS.E copies itself to %System%ss.exe (size: 15,360 bytes) and drops the following files into the %System% directory:
* SS.dat (size: 15,360 bytes) - an encrypted copy of itself
* Dss.dll (size: 3,072 bytes)
* Dssa.dll (size: 3,072 bytes)
It then edits the registry so that the dll is loaded when Explorer is started:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoadss = {Generated CLSID}
HKCRCLSID{Generated CLSID}InProcServer32Default = ˝dssa.dll˝
Note: ´%System%´ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.
The dlls are used to execute %System%ss.exe each time they are called and to restore the backup (ss.dat) if the original executable is missing. The dlls also ensure that that ss.exe runs continuously. Should the program be terminated, the dlls will re-execute this file.
The trojan creates the mutex ´one´ in order to ensure that only one copy of trojan is running at any time.
Note: Computer Associates have received several reports of this trojan from users who were previously compromised by variants of the VBS.Suzer Family - a group of trojans that attempt to exploit vulnerabilities in Internet Explorer in order to install other trojans. Please visit the VBS.Suzer Family description elsewhere in our encyclopedia for further detail.
Payload
SOCKS Proxy/Backdoor Functionality
Initially, DKS.E obtains the location of IEXPLORE.EXE by sampling the registry entry:
HKLMSoftwareMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE
and contacts a particular site using a predetermined IP address presumably to notify its controller of a new system compromise and supply the affected machine´s IP address and a randomly generated port number above 1080.
It then opens up a Socks 5 proxy with no authentication on the port number that was sent to the site. Proxies can be used to redirect network traffic through the affected system, for example, to hide the true source of malicious activity on the Internet.
Analysis by Matthew McCormack
More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40036
Computer Associates – the Trusted Source of Security Knowledge
Back
- Microsoft revamps Bing to include interactive social sidebar
The three-column interface also includes a ´snapshot´ for more direct interaction with products and places.
- Adobe Creative Cloud Now Available
Two New Touch Apps for iOS and Adobe Muse Also Shipping
- Acer G6 series - Super-slim design, inspiring performance
- Come Explore the VIA Smart Ecosystem at Computex 2012
- HP tries to beat ultrabook pricing with thin-and-light Sleekbooks
- MasterCard´s PayPass Wallet will span online, mobile, in-store shopping
- Google infringed Java copyrights in Android, jury finds
- After false alarm, no verdict Friday in Oracle Google
- Lenovo building industrial center to develop tablets, smartphones
- Facebook´s valuation for IPO will be lower than initially expected
Member of IVSZ
Member of SZEK
Acer Affinity Gold partner
Dell Registered Partner
OKI System Shinrai Partner
XEROX Viszonteladó
APC megbízható szállító
EATON Authorized Partner
Cisco partner
Symantec Software Partner
ESET Partner
FUJITSU partner
LENOVO Premium Partner
IBM Business Partner
PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel