Backdoor.Domwis is a backdoor Trojan horse, which allows unauthorized, remote access to your computer. By default is opens TCP port 559.



Type: Trojan Horse
Infection Length: 15,360 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX






Virus Definitions (Intelligent Updater) *
February 06, 2004


Virus Definitions (LiveUpdateT) **
February 09, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.




Backdoor.Domwis is a backdoor Trojan horse, which allows unauthorized, remote access to your computer. By default is opens TCP port 559.



Type: Trojan Horse
Infection Length: 15,360 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX






Virus Definitions (Intelligent Updater) *
February 06, 2004


Virus Definitions (LiveUpdateT) **
February 09, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.


Backdoor.Domwis is a backdoor Trojan horse, which allows unauthorized, remote access to your computer. By default is opens TCP port 559.



Type: Trojan Horse
Infection Length: 15,360 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX






Virus Definitions (Intelligent Updater) *
February 06, 2004


Virus Definitions (LiveUpdateT) **
February 09, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.




When Backdoor.Domwis is executed, it performs the following actions:


Opens TCP port 559, which allows unauthorized remote access to an infected computer.


Copies itself as %Windir%\RUNDLL16.EXE.


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Attempts to add the value:

"Windows DLL Loader" = "%Windir%\RUNDLL16.EXE"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.


Some of the functions available to the attacker include:

Uploading and downloading files
Executing programs
Ending processes
Sending full screen images to the attacker
Key logging




maybe this has some potention to be a new virus-like exploit?

nice post mxmx
Does anybody know more of this trojan

maybe it's the new mydoom.a

this looks interesting...anyone else got info on it?

testing

thx man

yeah thx seems like i should do some portscans on that

It seems that there has to be an exploit to spawn a shell @ that port...

We'll just have to wait...

awesome info m8, now to wait for the exploit, cuz im not good enuf to do it myself yet still learning

Pretty cool post... Im gonna have a look and see if I cant get a hold of the virus to test it..... leaving the machineunprotected for a couple seconds should do it though

Thanks

yes little little results

by spawning a shell i get this:

I Typed ***.***.***.*** 599 (ofcourse by founding one )

And then it sais:

Press any key to continue...

And then Connection to host lost.

Does anyone now what i did wrong??

perhaps firewalled?

also it's port 559 and not port 599

thanx man for info i try this

all found ip is vulnerable ??
mayby try use sl to check them ?

sounds very intresting, i also scanned for that port and get some results, but no shell :/

Sounds intresting. Will scan some and see what I can do with it. Sounds like a simple thing to block out but som admin have probably missed it. Thx for the info

Well, I dunno if any of you guys are succeeding, but you sure are making alot of noise

http://www.dshield.org/port_report.php?port=559

17 sources, 68k targets

Does anyone have any more info on this trojan?

Scanned and nothing , this backdoor is rare