Classification

Category :

Malware

Type :

Backdoor

Aliases :

CiaDoor, Backdoor.CiaDoor

Summary

The CiaDoor backdoor is a family of backdoors generated by the C.I.A development kit. The backdoor is written in Visual Basic and compiled as p-code. It can be additionally packed with executable packers such as UPX.

The development kit allows to customize the capabilities of the server part (listening port, password, services, etc.). This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.

Removal

To manually disinfect CiaDoor backdoor, it's enough to delete the backdoor main file from the Windows directory. The file is hidden and locked, so it cannot be directly deleted and it is not visible with the normal Windows tools. Disinfection can be done by deleting all relevant registry keys (see the Details below) and rebooting the computer or by manually renaming the file and rebooting. After the system restart the backdoor main file can be deleted.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When run, the backdoor copies itself to the Windows directory using configurable name, for example "Csrss.exe". After that it patches Windows Registry so that it will be run during every Windows startup.

It creates the following registry keys:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6017B}]
"StubPath" = "%Windir%\%filename%"
"ComponentID" = %name%
"IsInstalled" = 1
"Locale" = "en"
"Version" = "4,88,55,1"
 

where %filename% is the actual file in Windows directory, for example "Csrss.exe". %name% is configurable by the author, it can be for example "Runtime Process".

The backdoor can also install and modify registy keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run
 

If the system is Win9x, the backdoor also modifies files

WIN.INI
SYSTEM.INI
 

After the system installation, the backdoor starts its services and displays a configurable fake error message.

The server part can have any of the following capabilites:

1. Copy, delete, upload, dowload, and execute files
2. Enumerate and kill processes
3. Manipulate system settings (cd-rom, keyboard, mouse)
4. Capture screenshots, audio and keystrokes
5. Shut down Windows
6. Fake MSN login screen to steal account information
7. Steal CD keys of various games and applications
 

The actual server port is configurable. Example banner of the server (version 1.21) looks like this:

(__( C.I.A v1.21 - Enter Password)__)
 

CiaDoor also starts FTP service for local filesystem file manipulation. The FTP service uses standard ftp port (TCP 21). The server banner looks like this:

220-
220- (___( C.I.A v1.21 Ftp Server Ready )___)
220- (___( Welcome pokermon)___)
220- (___( Coded By Alch3mist of th3 DCC )___)
220- (___( http://dcc.darksideofkalez.com )___)
220

CiaDoor tries to use different Web pages and email accounts to notify the author that the victims are online.