F-Secure Virus Descriptions : CiaDoor
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
|
The CiaDoor backdoor is a family of backdoors generated by the
C.I.A development kit. The backdoor is written in Visual Basic
and compiled as p-code. It can be additionally packed with
executable packers such as UPX.
The development kit allows to customize the capabilities of
the server part (listening port, password, services, etc.).
This method was first introduced by the Back Orifice 2000 backdoor
and it allows much more flexibility to backdoors.
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is
automatically removed by F-Secure Anti-Virus (FSAV) starting from
version 5.40. Malware files get automatically renamed by FSAV, so
they can not be started any more. In some rare cases, when
automatic disinfection is not possible, a user can select
disinfection action by him/herself to make FSAV rename or delete
an infected file.
Manual Disinfection
To manually disinfect CiaDoor backdoor, it's enough to delete
the backdoor main file from the Windows directory. The file is hidden
and locked, so it cannot be directly deleted and it is not visible
with the normal Windows tools. Disinfection can be done by deleting
all relevant registry keys (see the Details below) and rebooting the
computer or by manually renaming the file and rebooting. After the
system restart the backdoor main file can be deleted.
When run, the backdoor copies itself to the Windows directory
using configurable name, for example "Csrss.exe". After that it
patches Windows Registry so that it will be run during every
Windows startup.
It creates the following registry keys:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6017B}]
"StubPath" = "%Windir%\%filename%"
"ComponentID" = %name%
"IsInstalled" = 1
"Locale" = "en"
"Version" = "4,88,55,1"
where %filename% is the actual file in Windows directory, for
example "Csrss.exe". %name% is configurable by the author, it can
be for example "Runtime Process".
The backdoor can also install and modify registy keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run
If the system is Win9x, the backdoor also modifies files
WIN.INI
SYSTEM.INI
After the system installation, the backdoor starts its services and
displays a configurable fake error message.
The server part can have any of the following capabilites:
1. Copy, delete, upload, dowload, and execute files
2. Enumerate and kill processes
3. Manipulate system settings (cd-rom, keyboard, mouse)
4. Capture screenshots, audio and keystrokes
5. Shut down Windows
6. Fake MSN login screen to steal account information
7. Steal CD keys of various games and applications
The actual server port is configurable. Example banner of the server
(version 1.21) looks like this:
(__( C.I.A v1.21 - Enter Password)__)
CiaDoor also starts FTP service for local filesystem file manipulation.
The FTP service uses standard ftp port (TCP 21). The server banner
looks like this:
220-
220- (___( C.I.A v1.21 Ftp Server Ready )___)
220- (___( Welcome pokermon)___)
220- (___( Coded By Alch3mist of th3 DCC )___)
220- (___( http://dcc.darksideofkalez.com )___)
220
CiaDoor tries to use different Web pages and e-mail accounts to
notify the author that the victims are online.
F-Secure Anti-Virus detects various variants of the CiaDoor backdoor
starting with the following update:
[FSAV_Database_Version]
Version=2003-03-25_01
Technical Details:
Jarkko Turkulainen, January 11th, 2005;
F-Secure Corporation
|
