The Trojan horse arrives in a user's e-mail posing as a screen saver or game update, but once executed, it turns the victim's PC into an "open client." Then, a hacker can add, delete, move or execute files on the victim's computer at will from anywhere on the Internet. BackDoor-G is being sent out in spam mail, according to Sal Viveros, group marketing manager at Network Associates. The company discovered it Wednesday.
Updated versions of virus-scanning software, including Network Associates products, will detect BackDoor-G and clean it from a victim's system.
Such "remote administration tools" started to surface last year when Back Orifice was released by a group calling itself the Cult of the Dead Cow. NetBus, another such tool, has since been developed into a commercial product by its author. With both programs, a victim is tricked into executing an e-mail attachment which then opens his PC to remote connections via the Internet. Once a victim is infected, a hacker can do anything to a machine that the victim can -- included erasing all files or copying all files.
Such tools represent a dangerous blending of what might once have been considered relatively harmless pranks by virus writers and hackers, Viveros said: "We're seeing these types of malicious code attacks, which are trying to attack information directly or indirectly," he said. "Now we're seeming to blur the lines between malicious code attacks and [data] vulnerability."
BackDoor-G already has a variant -- a very similar Trojan named "Armageddon" was discovered in France Thursday morning. Several Network Associates clients opened the attachment and exposed their systems, Viveros said. But when the promised screen saver did not execute, they called the virus company.
He did not know immediately whether any data had been stolen but said he suspected there have been victims "because of the number of people we've had turn it in to us. We only get a small percentage." BackDoor-G installs three files on a user's system in the Windows and Windows/System directories. First, BackDoor-G.ldr is installed in the Windows folder and is used to load the main Trojan server. Then BackDoor-G.srv, the main Trojan that receives and executes commands, is installed in the Windows folder.
According to Network Associates, BackDoor-G.srv contains copies of Watching.dll or Lmdrk_33.dll. This DLL is copied into the WINDOWS/SYSTEM folder and is used by the Trojan server to monitor the Internet for connections from the client software. This file can be identified as BackDoor-G.dll. A configuration program called BackDoor-G.cfg is also dropped on the victim's machine.