Sophos

Troj/TKBot-A

Aliases
  • Backdoor.IRC.Demfire
  • IRC-Sdbot.dr
  • trojan
  • Backdoor.Tkbot
Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

You should install the Microsoft patch at Microsoft Security Bulletin MS00-78 to prevent further exploitation of this vulnerability.

The other files dropped by the Trojan will not harm your system. Delete them if you wish.

More Information

Troj/TKBot-A is an IRC backdoor Trojan principally targeted at computers running Microsoft IIS version 4 or 5 on Windows NT/2000 and exploiting the "Web Server Folder Traversal" security vulnerability. A description and patch for this vulnerability can be found at Microsoft Security Bulletin MS00-78.

When executed, the Trojan creates the folder
\<Program Files>\Microsoft\Update\DLL\tk and copies thirty files into this folder. Two of these files, rundll.exe and mstaskmgr.exe, will be started up as services using the clean application FireDaemon.exe which is also packaged with this Trojan.

Rundll.exe is the server component of a commercially available FTP server application and will not be detected by Sophos Anti-Virus.

Mstaskmgr.exe is a modified mIRC client which works in conjunction with the mIRC script in the file task.cnf to form the core of the backdoor capabilities of this Trojan. Both mstaskmgr.exe and task.cnf will be detected as Troj/TKBot-A.

The Trojan listens on a particular IRC channel waiting for a connection from an attacker. An attacker who connects to this channel will be able to issue commands to Troj/TKBot-A which will then be interpreted as actions to run on the victim's computer. These commands include being able to upload/download files to and from the victim's machine, remotely running executables and accessing information about the victim's computer.

The file vmz.exe, also installed in the main folder, contains a self extracting archive which if executed will create the folder
\<Windows>\System32\Microsoft\Crypto into which a further thirteen files are copied. The service svhost is then started from the file scvhost.exe. The file scvhost.exe contains an IRC file server application and will not be detected by Sophos Anti-Virus.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer