Skip to main content

Choose your country

CiaDoor

Classification

Category:

Malware

Platform:

W32

Type:

Backdoor

Aliases:

  • CiaDoor
  • Backdoor.CiaDoor

Summary

The CiaDoor backdoor is a family of backdoors generated by the C.I.A development kit. The backdoor is written in Visual Basic and compiled as p-code. It can be additionally packed with executable packers such as UPX.

The development kit allows to customize the capabilities of the server part (listening port, password, services, etc.). This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.

Removal

Technical Details

When run, the backdoor copies itself to the Windows directory using configurable name, for example "Csrss.exe". After that it patches Windows Registry so that it will be run during every Windows startup.
It creates the following registry keys:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6017B}] "StubPath" = "%Windir%\%filename%" "ComponentID" = %name% "IsInstalled" = 1 "Locale" = "en" "Version" = "4,88,55,1"
where %filename% is the actual file in Windows directory, for example "Csrss.exe". %name% is configurable by the author, it can be for example "Runtime Process".
The backdoor can also install and modify registy keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run
If the system is Win9x, the backdoor also modifies files
WIN.INI SYSTEM.INI
After the system installation, the backdoor starts its services and displays a configurable fake error message.
The server part can have any of the following capabilites:
1. Copy, delete, upload, dowload, and execute files 2. Enumerate and kill processes 3. Manipulate system settings (cd-rom, keyboard, mouse) 4. Capture screenshots, audio and keystrokes 5. Shut down Windows 6. Fake MSN login screen to steal account information 7. Steal CD keys of various games and applications
The actual server port is configurable. Example banner of the server (version 1.21) looks like this:
(__( C.I.A v1.21 - Enter Password)__)
CiaDoor also starts FTP service for local filesystem file manipulation. The FTP service uses standard ftp port (TCP 21). The server banner looks like this:
220- 220- (___( C.I.A v1.21 Ftp Server Ready )___) 220- (___( Welcome pokermon)___) 220- (___( Coded By Alch3mist of th3 DCC )___) 220- (___( http://dcc.darksideofkalez.com )___) 220
CiaDoor tries to use different Web pages and email accounts to notify the author that the victims are online.

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support
  • Cancel anytime
  • The trial does not obligate you to buy the product
Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.