Erazer Lite


1.Summary

This is a trojan detection. Unlike viruses, trojans do not self-
replicate. They are spread manually, often under the premise that they
are beneficial or wanted. The most common installation methods involve
system or security exploitation, and unsuspecting users manually
executing unknown programs. Distribution channels include email,
malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer
networks, etc.
2.Aliases

* Backdoor.Eraser.Web

3.Characteristics

Erazer Lite is a Remote Access Trojan consisting of a server
component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names,
port number used, etc will differ, depending on the way in which the
attacker had configured it. Hence, this is a general description.

A.Server Component:

When the server component is executed, the Trojan drops itself to:

* %system%\msiecfg.exe

The following registry entry is created, so it can run at system
startup:

*
Hkey_Current_User\Software\EZ "0"
Data: C:\Windows\System32\msiecfg.exe
*
Hkey_Current_User\Software\Microsoft\
Windows\CurrentVersion\Run "iexplorer"
Data: C:\Windows\System32\msiecfg.exe

Once running, the server component connects to a pre-defined IP
address on a pre-defined port, waiting for commands from the attacker



Note: %System% is a variable location and refers to the windows system
directory.

B.Client Component:

The client component runs on the attacker抯 computer, and connects to
the server component on the victim抯 machine remotely.

The following are a list of some of the functions that are available
to the attacker:



* Process Manager (List, kill running processes)
* File Manager (List, upload, download, delete)
* Registry Manager (Browse Registry, add, edit, delete keys)
* Windows Manager (Browse, close, maximize/minimize, rename)
* Get system information
* Extract passwords from machine
* Key logger
* Read/Modify contents of the clipboard
* Screen capture
* Pranks played on the victim (Hiding desktop icons, start button,
taskbar, opening and closing CD-Rom)
* Desktop logoff, reboot or shutdown
* FTP-server, Telnet-Server
* Format drives



C.Miscellaneous Information:

* This Trojan is written in Delphi
* The author抯 intended name for the Trojan is 揈razer Lite�

4. Detects Trojan

The communication between client and server of Trojan is usually with
TCP, UDP and ICMP protocol. Sax2 from Ax3soft is based on the analysis
of protocol and can accurate tracking network connecting conversation
and reorganize the TCP / IP data of the communication. When it detect
that your network in the risk of Trojans, it will immediately
suspended or interference with communications of Trojan to protect
your network from attack. Why not have a try? Sax2 will immediately
upgrade it’s Security Strategy Knowledge Base after finished
installation. Below will introduce how to use Sax2 to detect whether
your system has infected of the Trojan - Erazer Lite.

First of all, launch and run Sax2, switch to "EVENTS" pages. If there
is Erazer Lite communication in your network, Sax2 will immediately
report and interrupt Trojan communications. See the picture:

website:http://www.ids-sax2.com/articles/ErazerLiteBackdoor.htm