This is a trojan detection. Unlike viruses, trojans do not self- replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.2.Aliases
Erazer Lite is a Remote Access Trojan consisting of a server component, client component and a server editor component.
The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.
When the server component is executed, the Trojan drops itself to:
The following registry entry is created, so it can run at system startup:
- Hkey_Current_User\Software\EZ "0" Data: C:\Windows\System32\msiecfg.exe * Hkey_Current_User\Software\Microsoft\ Windows\CurrentVersion\Run "iexplorer" Data: C:\Windows\System32\msiecfg.exe
Once running, the server component connects to a pre-defined IP address on a pre-defined port, waiting for commands from the attacker
Note: %System% is a variable location and refers to the windows system directory.
The client component runs on the attacker=E6=8A=AF computer, and connects t= o the server component on the victim=E6=8A=AF machine remotely.
The following are a list of some of the functions that are available to the attacker:
- Process Manager (List, kill running processes) * File Manager (List, upload, download, delete) * Registry Manager (Browse Registry, add, edit, delete keys) * Windows Manager (Browse, close, maximize/minimize, rename) * Get system information * Extract passwords from machine * Key logger * Read/Modify contents of the clipboard * Screen capture * Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom) * Desktop logoff, reboot or shutdown * FTP-server, Telnet-Server * Format drives
- This Trojan is written in Delphi * The author=E6=8A=AF intended name for the Trojan is =E6=8F=88razer Li= te=EF=BF=BD
- Detects Trojan
The communication between client and server of Trojan is usually with TCP, UDP and ICMP protocol. Sax2 from Ax3soft is based on the analysis of protocol and can accurate tracking network connecting conversation and reorganize the TCP / IP data of the communication. When it detect that your network in the risk of Trojans, it will immediately suspended or interference with communications of Trojan to protect your network from attack. Why not have a try? Sax2 will immediately upgrade it=E2=80=99s Security Strategy Knowledge Base after finished installation. Below will introduce how to use Sax2 to detect whether your system has infected of the Trojan - Erazer Lite.
First of all, launch and run Sax2, switch to "EVENTS" pages. If there is Erazer Lite communication in your network, Sax2 will immediately report and interrupt Trojan communications. See the picture: