Welcome to the Virus Encyclopedia of Panda Security.
It allows to gain remote access to the affected computer.
It does not spread automatically using its own means.
|First detected on:|
|Detection updated on:||Oct. 26, 2005|
|Yes, using TruPrevent Technologies
| This is the 1.2 version of the famous Donald Dick Trojan. Like other Client-Server applications, all Backdoor Trojans are made up of two parts or programs: the Client and the Server. The server is installed on the victim computer. This program carries all necessary actions so as to allow malicious users to gain remote access to the victim computer. |
BCK/DonaldDick.152 works on Windows 95, Windows 98 and Windows NT systems and is capable of using the SPX and TPC communication protocols. Moreover, it can use two communications ports for each of the protocols.
The client is a graphic interface that sends out its service requests to the server. The client program is handled by a hacker that will attempt to gain remote access to the affected system.
The client can perform the following actions on the affected computer: it manipulates files and directories (it creates, deletes, renames and downloads files), disables and changes priorities of existing processes, it alters passwords as well as the system datestamp, it captures screenshots of windows currently open, it obtains the keystrokes whenever a password is entered (even if this password is protected with an edition mask), it switches the monitor on/off, opens and closes the CD-ROM tray, restarts the system,...etc.
The server program establishes a connection to the client, which is installed on a remote system. To do this, it uses two communication ports as well as the following protocols: SPX and TCP. From this point on, malicious users will be able to carry out numerous operations on the victim computer. To make this possible the Trojan requires the following services:
File System:it carries out actions on files and folders. Thus, it will be able to create, delete, rename, download and change the date of files.
Processes and Threads: This allows the hacker to create, end or alter the priorities of processes on a remote system.
Registry: Through this service it is possible to create change and delete keys and values in the Windows Registry.
System: The functions assigned to this service permit malicious users to view and change the datestamp of the affected system. It also allows them to obtain information about the most important folders (WINVIR and SYSTEMVIR), as well as the computer name and user name...etc.
Windows:it provides malicious users with a list of the currently open windows and it allows them to capture screenshots of those windows. Additionally, it is capable of sending "Close" commands in order to automatically close all open windows.
Keyboard: it allows viewing the keystrokes on the affected system. Thus, it will be possible to obtain the passwords entered by the users even if a mask is being used. In addition, it allows malicious users to view the whole keyboard thereby enabling them to disable or remap the keys.
Miscellaneous:These functions perform strange effects on the victim computer. Some of them allow malicious users to carry out the following actions: send text messages to the victim computer, open/close the CD-ROM tray, turn the monitor on/off and restart the system. Moreover, this service also allows users to capture screenshots of currently active windows.
PassWords: These functions allow access to the screensaver password. Besides, it also allows users to obtain the CMOS password on Phoenix systems.
Server: This service allows malicious users to perform the following actions on the server: the password, restart he system, open , close or reinstall the application.
The client program is a graphic interface that is in charge of requesting services from the server. It consists of several tabs according to the type of services that it is made up of. This program looks as follows: