Backdoor.Win32.Turkojan

1. What is the Backdoor.Win32.Turkojan

Backdoor.Turkojan is a malicious backdoor trojan that runs in the background and gives remote attackers access and control of the targeted computer system without the users knowledge. Backdoor.Turkojan is able to steal passwords, log keystrokes, create screenshots, and control the affected computer system. Backdoor.Turkojan can compromise system integrity by making modifications to the system that enables the attacker to use it for malicious activities unknown to the user.

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%Windir%\cmsetac.dll	33,792 bytes
2	%Windir%\KB8888239.log	888 bytes
3	%Windir%\mstwain32.exe [file and pathname of the sample #1]	111,104 bytes
4	%Windir%\ntdtcstp.dll	7,168 bytes

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	327,680 bytes
mstwain32.exe	%Windir%\mstwain32.exe	327,680 bytes

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
mstwain32.exe	327,680 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename
cmsetac.dll	%Windir%\cmsetac.dll
ntdtcstp.dll	%Windir%\ntdtcstp.dll

Notes:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

c. Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- mstwain32 = "%Windir%\mstwain32.exe"
so that mstwain32.exe runs every time Windows starts

d. Other details

To mark the presence in the system, the following Mutex objects were created:
- ASPLOG
- WBEMPROVIDERSTATICMUTEX
- DENEK

The following ports were open in the system:

Port	Protocol	Process
1033	TCP	mstwain32.exe (%Windir%\mstwain32.exe)
1034	TCP	mstwain32.exe (%Windir%\mstwain32.exe)

The following Host Name was requested from a host database:
- break.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
break.no-ip.biz	15963

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:
- %Windir%\ntdtcstp.dll
- %Windir%\cmsetac.dll

3. How-to's

a. How to prevent the Backdoor.Win32.Turkojan?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Backdoor.Win32.Turkojan Manually?

Step 1 : Unregister the following Backdoor.Win32.Turkojan.i DLL files:
%System%\ntdtcstp.dll
%System%\cmsetac.dll

Step 2 : Locate and delete the following Backdoor.Win32.Turkojan.i files:
%System%\ntdtcstp.dll
%Windir%\KB8888239.log
%Temp%\ala1.tmp
%System%\cmsetac.dll

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm