Troj/Hzdoor-A is a backdoor Trojan for the Windows platform.
When first run Troj/Hzdoor-A copies itself to the Windows system folder as ccEvtMngr.exe and creates the following registry entry in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
nortonsantivirus
"<Windows system folder>\ccEvtMngr.exe"
The Trojan joins an IRC channel and awaits further commands from a remote user. Troj/Hzdoor-A can then be instructed to perform the following functions:
start an FTP server
start a port scanner
modify the system registry
download/execute arbitrary files
harvest system information
Troj/Hzdoor-A drops a file to the Windows system folder as ccSetMngr.exe and then runs it. The dropped file exploits a buffer overflow vulnerability in Microsoft servers running the WINS service. Successful exploitation of this exploit results in the server allowing remote shell access. A patch is available from Microsoft for the WINS buffer overflow vulnerability at:
http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
Sophos Anti-Virus products detect ccSetMngr.exe as Troj/Winser-A.