Threat description




This backdoor and its dropper incorporate the novel feature of using a particular mode of storing data, provided by the NTFS file system.

The backdoor itself allows remote usage of the infected machine.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The backdoor provides its own removal mechanism which, however, seems to leave some files on the system. But it will remove the Registry Key, so it won't run next time Windows restarts.

If a Windows 2000, NT or XP system is already infected, removing the DLL is not trivial, given that it's located on a stream (if the system is using NTFS as its underlying filesystem).

F-Secure Anti-Virus will detect the backdoor when the file/stream is accessed, but might not be able to delete it if it's in use.

A workaround is to temporary set the option of automatic removal, instead of prompting the user for confirmation, and then rebooting the system.

In this way, after restarting the stream containing the backdoor should be detected when an attempt to access it is made and therefore removed.

The main executable has been packed with unmodified UPX and its packed length is 58368 bytes, once unpacked it grows to 118272.

System installation

The first component to be executed in an system will be the Emaner dropper, which making use of almost identical functionality as found later in the main backdoor code, will drop a second component into the user's system, and proceed then to run it. This will be achieved calling the LoadLibrary function from the Windows' Kernel32.DLL.

The dropped component will be stored in a stream in the default Windows temporary folder if the file system of the computer is NTFS (this is the default one in Windows NT,2000 and XP), and in the same folder but as a normal file, if the filesystem does not allow streams, i.e. VFAT.

The file/stream name is randomly generated, and it will always consist of lowercase characters from the range [a-z]. The filename is built from dividing a randomly chosen number and using the remainder of subsequent divisions to obtain the characters used in the filename. The random number is divided over 26 and to the remainder the ordinal of the 'a' character is added, therefore obtaining the range of characters previously given.

Once the file is copied, the dropper will exit if it has been able to execute the dropped backdoor.

The backdoor component.

This component is a DLL, and it has to be run as such. The DLL size is 113152 bytes. The backdoor has an extensive number of features which allow the attacker to gain a high degree of control over the infected machine.

When the backdoor is run, it will add an entry in the Windows Registry:


[random name] = rundll32 [path to DLL],[options]

All the values [random name], [path to DLL] and [options] depend on several factors. Although [random name] will match the basename without extension of the file pointed by [path to DLL], which will consist of lowercase characters on the range [a-f].

The DLL has the following entry points:

DebugBreakpoint  DebugInit  Init  InitService  SpawnedInit  Uninstall   

Which lead to different behaviors. Running the following command:

Rundll32 [path to the DLL],[any of the above entry points and its options]

will load the DLL and execute the according code.

The backdoor contains the following text:

(The text has been reformatted for better appearance on our Web)

************************************************************If you read this,  then this program was probably stolen from our laboratory.  Author of this  software is not responsible for any harm that may be caused by incompetent or  malicious persons who use this software possibly running on your machine.  Therefore, please remove this software as soon as possible. Click the "Start"  menu, select "Run", enter there: rundll32 [path to this DLL],Uninstall and  click "OK" ************************************************************    

Which provides with real information regarding the removal of the backdoor.

More information on removal can be found from the Disinfection section.


Detection Type: PC

Database: 2003-10-01_01

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info