The program is essentially a Trojan because it is frequently distributed as an
innocent picture file. The file is called a variety of names. My particular copy
was named Webcam Shots.scr. The SCR extension is reserved for screen
savers, but screensavers are really just regular programs; you could theoreti-
cally create a word processor with an .scr extension—it would work just fine.
The reason this little trick is effective is that some programs (such as e-mail
clients) stupidly give these files a little bitmap icon instead of an application
icon, so the user might actually think that they’re pictures, when in fact they
are programs. One trivial solution is to simply display a special alert that noti-
fies the user when an executable is being downloaded via Web or e-mail. The
specific file name that is used for distributing this file really varies. In some
e-mail messages (typically sent to news groups) the program is disguised as a
picture of soccer star David Beckham, while other messages claim that the file
contains proof that Nick Berg, an American civilian who was murdered in Iraq
in May of 2004, is still alive. In all messages, the purpose of both the message
and the file name is to persuade the unsuspecting user to open the attachment
and activate the backdoor.Unpacking the Executable
As with every executable, you begin by dumping the basic headers and
imports/export entries in it. You do this by running it through DUMPBIN or a
similar program. The output from DUMPBIN is shown in Listing 8.1.Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file Webcam Shots.scrFile Type: EXECUTABLE IMAGESection contains the following imports:KERNEL32.DLL
0 LoadLibraryA
0 GetProcAddress
0 ExitProcessADVAPI32.DLL
0 RegCloseKeyCRTDLL.DLL
0 atoiSHELL32.DLLListing 8.1 An abridged DUMPBIN output for the Backdoor.Hacarmy.D.286 Chapter 8