BackDoor-AXJ is a remote access Trojan that has multiple versions.

Once running on the victim machine, the Trojan serves multiple functions:

  • acts as a web proxy
  • can check remote server for updates
  • cached passwords on the victim machine are logged (for sending to hacker)

    When it is run, the remote access trojan installs itself into %SysDir% (eg. C:\WINNT\SYSTEM32) with a random 8 character filename. A DLL is also dropped into this directory, again with a seemingly random 8 character filename. For example:

    C:\WINNT\SYSTEM32\OQLCINEI.EXE (39,140 bytes - copy of Trojan) Two ports are opened on the victim machine. Exact port numbers used vary between variants. One is used for the web proxy, the other for communication. Ports used in samples seen thus far include:

  • 7714
  • 8546
  • 12334
  • 12324
  • Notification is sent to the hacker via HTTP, sending data to a remote PHP script. This data includes IP of machine, plus port numbers opened. It also includes as "identification string" - presumably used to validate communication to the Trojan.

    More information can be found at this McAfee page.