Virus Information provided by ZoneAlarm
Virus Information powered by Computer Associates
Virus Name: DKS.C
Pervasiveness:  
1 of 5
Destructiveness:  
3 of 5
Wildness:  
2 of 5
Type: Trojan
Aliases: [Win32.]DKS.C; [Trojan.]Win32.Genme.a (Kaspersky); [Win32/]SS.DLL.Trojan; [Win32.]Genme.A; [BackDoor-]CGT.dll (McAfee);
 
Date Modified: 30-Aug-2004
Date Published: 20-Aug-2004
 
Description:
Win32.DKS.C is a trojan that opens a SOCKS 5 proxy on an affected machine.

When executed, Win32.DKS.C copies itself to %System%\ss.exe (size: 15,360 bytes) and drops the following files into the %System% directory:

  • SS.dat (size: 15,360 bytes) - an encrypted copy of itself
  • Dss.dll (size: 3,072 bytes)
  • Dssa.dll  (size: 3,072 bytes)

It then edits the registry so that the dll is loaded at each Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ss = {Generated CLSID}
HKCR\CLSID\{Generated CLSID}\InProcServer32\Default = dssa.dll

Note: '%System%' is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The dlls are used to execute %System%\ss.exe each time it is called and to restore that backup (ss.dat) if the original executable is missing.

The trojan creates the  mutex ' one ' in order to ensure that only one copy of trojan is running at any time.

Note: Computer Associates have received several reports of this trojan from users who were previously compromised by variants of the VBS.Suzer Family - a group of trojans that attempt to exploit vulnerabilities in Internet Explorer in order to install other trojans. Please visit the VBS.Suzer Family description elsewhere in our encyclopedia for further detail.

SOCKS Proxy / Backdoor Functionality

Initially, DKS.C obtains the location of IEXPLORE.EXE by sampling the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

and contacts a site on the genmexe.biz domain presumably to notify its controller of a new system compromise and supply a randomly generated port number. 

It then opens up a Socks 5 proxy with no authentication on the port number that was sent to the site. Proxies can be used to redirect network traffic through the affected system, for example, to hide the true source of malicious activity on the Internet. 

Analysis by Matthew McCormack



Top of page