Troj/Bdoor-IC

Please follow the instructions for removing Trojans.

Troj/Bdoor-IC is a backdoor Trojan on the Windows platform.

When run the Trojan drops 2 files:

1111swapmgr.exe - main backdoor Trojan component
1111tapidef.dll - DLL helper Trojan component

into the Windows System folder and runs the main backdoor component in the background as a service process.

These 2 files are also being detected by Sophos as Troj/Bdoor-IC.

When the main backdoor Trojan component is run, the Trojan sets either of the two following registry entries so as to run itself on user logon:

changes the following default Windows registry entry:

from:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe

to:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe %SYSTEM%\1111swapmgr.exe

creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
1111swapmgr.exe
%SYSTEM%\1111swapmgr.exe

Once installed, Troj/Bdoor-IC creates a backdoor component and sets up a listening server on a random TCP port awaiting instructions from a remote attacker. The main backdoor Trojan component then uses the DLL helper component to hook itself into the Windows Internet Explorer process to stealth itself.

Troj/Bdoor-IC may then attempt to perform any of the following actions when instructed to do so by a remote intruder:

download files from the internet and run them

change the Internet Explorer Start Page by changing the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page

allow the infected machine to act as a HTTP proxy server, redirecting internet traffic

engage in distributed denial of service (DDoS) attacks

transfer files over the internet via HTTP and FTP

The Trojan also terminates the process associated with tcpsvc.exe and deletes the file tcpsvc.exe.

Troj/Bdoor-IC may also set the following registry entries:

HKLM\Software\Microsoft
SystemID

HKLM\Software\Microsoft
SystemType