By default, Windows does not display the real extension, thus users might be tricked into believing that wendynaked.jpg.exe is wendynaked.jpg and mistakenly assume it is a benign image file. Ensure file extension viewing is enabled to prevent being taken by this ruse.
If the file is executed, Backdoor-CAG a.k.a. Sysbug compromises the system, allowing it to be remotely controlled by the Trojan author(s).
The email carrying the Trojan appears as follows:
- Subject: Re[2]: Mary
Hello my dear Mary,
I have been thinking about you all night. I would like to apologize for the other night when we made beautiful love and did not use condoms. I know this was a mistake and I beg you to forgive me.
I miss you more than anything, please call me Mary, I need you. Do you remember when we were having wild sex in my house? I remember it all like it was only yesterday. You said that the pictures would not come out good, but you were very wrong, they are great. I didn't want to show you the pictures at first, but now I think it's time for you to see them. Please look in the attachment and you will see what I mean.
I love you with all my heart, James.
Method of infection
Backdoor-CAG a.k.a. Sysbug creates the following files:
- C:\%windir%\sysdeb32.exe (copy of the worm)
C:\%windir%\svc.sav (marker file)
C:\temp35.txt (user information)
Backdoor-CAG a.k.a. Sysbug makes the following registry edit to load sysdeb32 on system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SystemDebug" = C:\Windows\sysdeb32.exe
To verify an active Internet connection is available, Backdoor-CAG a.k.a. Sysbug attempts to contact a specific website. The trojan then opens and begins listening on TCP Port 5555 and sends an infection notification to a remote server.
Removal instructions
Delete the Registry edit made by the Trojan, reboot the system and delete the dropped/created files. Antivirus software updated on or after November 25th, 2003 should be able to detect and remove this Trojan.
As is the case with any remote-access Trojan, consider the implications of your system having been infected. Passwords, credit card information, and other sensitive data are likely to have been compromised. Likewise, other files, including other Trojans, may have been placed on the system while infected.
A personal firewall, such as ZoneAlarm, will alert when applications attempt to access the Internet and - used properly - can provide an effective layer of defense against remote-access Trojans by barring their communication attempts.
