Originally posted by Charon:
Sounds like the SubSeven virus.
This is most commonly downloaded if you access the "fake" Microsoft download
site at:
http://www.microsoftdownloads.fsnet.co.uk/viprotct.htm
This Trojan virus is the result of further development of the BackDoor-G Trojan
(v1.0 - v1.9) and offers the usual access to the user's files and data on his
system via the Internet.
By default, the Trojan uses TCP port 27374, but this is configurable by the
configuration program.
It is normally distributed as a Win32 PE .exe dropper that may be disguised as a
.jpg or .bmp picture. When run, this dropper installs two files in the Windows
folder. These two files are the main server .exe files, normally called
Msrexe.exe, and a loader program normally called Run.exe, Windos.exe, or
Mueexe.exe.
These file names are only the default names and can be changed by the Trojan's
configuration program. The main server .exe file is identified as
"BackDoor-G2.svr" or "BackDoor-G2.svr.gen." The loader program is identified as
"BackDoor-G2.ldr."
Two other files are associated with this Trojan: the configuration program and
the client program. These are used to communicate with the main server program.
These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These
files do not hook the operating system and may be safely deleted if detected on
the system.
Method of Infection