Troj/Netdex-A

Please read the instructions for removing Trojans.

Troj/Netdex-A is a backdoor Trojan which allows unauthorised remote access to the computer. The Trojan is composed of several parts. When a user connects to an infected website the file BANNER.HTML may be run.

BANNER.HTML drops and executes two files on the the victim's computer, A.COM and ZSHELL.JS. ZSHELL.JS is dropped in the Cookies folder. When this file is run it drops a BAT file to execute and delete A.COM. The BAT file is then also deleted. Finally ZSHELL.JS runs NETD.EXE which is created in the Windows Temp folder when A.COM is run. All communication to the remote server goes through NETD.EXE, which downloads the file INSTALL.PHP from the remote server.

INSTALL.PHP creates the file REPOST.HTML and edits a registry entry to point to this file. It then runs NETD.EXE with a parameter to get SH.PHP.

SH.PHP is the main Trojan script and runs NETD.EXE with an option to retreive the set of commands that the Trojan should execute. SH.PHP is then copied over ZSHELL.JS (NETD.EXE uses two files for input and output: it reads I.JS for input to send to the server and it writes the received data to O.JS. The new O.JS is copied over the old ZSHELL.JS to enable remote updating). The time zone synchronisation registry entries are modified to point to ZSHELL.JS so that it is periodically run.