Updated: Backdoor trojans make their presence felt

By Alun Williams

Posted on 12 Nov 2003 at 11:37

A virus never sleeps. And it seems they don't stop mutating and breeding, too, as there are two new threats to computer users: BDSinit-A and Webber-C.

Strictly speaking, they are back-door trojans rather than 'viruses', but they both allow a remote attacker to control your system. The anti-virus specialist Sophos has already received several reports from the wild for both the threats.

BDSinit-A works by copying itself into the Windows system folder as svcinit.exe and modifies the Registry for it to be executed on system start-up.

In terms of operation, it will open a random port on the PC in order to receive commands from a remote attacker.

Webber-C, believed to be of Eastern European (probably Polish) origin, is slightly more involved. Its loader component will download the cargo from a web address (www.valenok.red-host.com) into the Windows system folder, and then execute it, and its downloaded component is a password stealing trojan. This will attempt to extract sensitive information from several locations on the system - for example, files containing password info - and then send it to another part of the website.

The downloaded component is hard to detect because it will be stored using a random name. And the fact that the virus checks for orders from a website gives the attacker flexibility on what Webber-C will actually perform - it is not hard-coded into the trojan itself.

Sophos reports that Webber-C can also function as a web proxy, and it is believed it may be used to monitor users' web activity and retrieve information, possibly financial details, for example.

You can find more info on Troj/BDSinit-A and Troj/Webber-C on the Sophos Website.