Home > Trojan > BackDoor-ABF

BackDoor-ABF

March 7th, 2010 Leave a comment Go to comments

What is BackDoor-ABF?

BackDoor-ABF is a Trojan that spread manually using distribution channels in IRC, file-sharing networks, newsgroup and spam e-mail messages. When infected, BackDoor-ABF will create a port that will allow a remote attacker to gain control of the affected computer.

Type Trojan
Sub-Type Backdoor
Aliases BackDoor.VB.20.C, W32.SillyDC,
Worm.Win32.Basun.wsc, Trojan:Win32/VB
OS Affected Windows
Detected By McAfee

What are the Symptoms of BackDoor-ABF Infection?

It will modify Windows Registry and add the following entries:

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\Current Version\Run\]
    “Administrator” = “%USERPROFILE%\Administrator.exe”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\Current Version\Run\]
    “riiin” = “%USERPROFILE%\riiin.exe”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\Current Version\Run\]
    “TOY5KNQ8OC” = “%Temp%\Nz1.exe”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Print\Providers\tdl
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \SecurityProviders\SCHANNEL
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \SSHNAS HKEY_CURRENT_USER\S-1-(Varies)\Software\ROUA3O12PW HKEY_CURRENT_USER\S-1-(Varies) \Software\TOY5KNQ8OC
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\XML

The threat will drop the following malicious files:

  • %USERPROFILE%\Administrator.exe
  • %USERPROFILE%\Local Settings\Temp\3.tmp
  • %USERPROFILE%\Local Settings\Temp\Nz0.exe
  • %USERPROFILE%\Local Settings\Temp\Nzz.exe
  • %USERPROFILE%\riiin.exe [Random] 
  • %USERPROFILE%\Administrator\foosah.exe
  • %USERPROFILE%\Administrator\RerZNy.bat
  • %USERPROFILE%\Administrator\SpyoYs.exe
  • %USERPROFILE%\Local Settings\Temp\Nz1.exe
  • %WINDOWS%\system32\sshnas21.dll
  • %WINDOWS%\msa.exe

How to Remove BackDoor-ABF Manually

1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

4. Scan computer with Antivirus Program
- Update antivirus program
- Scan computer and delete all detected threats.

Categories: Trojan Tags: ,
  1. No comments yet.
  1. No trackbacks yet.