Main Menu
Contact Us

Backdoor.Netdex. Viruses Information

Name: Backdoor.Netdex.
Category: Viruses
Description: Details

Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site, processes them and then sends the result back to that Web site.
The main backdoor component is a Java Script program with the name,
Other backdoor components are: - DOS COM program (helper)
netd.exe - Win32 EXE program (transfer service)
o.js, installer.php - Java Script (installer)
repost.html, sh.php - HTML page with Java Script program (additional component)

Computers become infected when visiting the backdoor's host site at This site's index page contains a script program. If script programs are permitted to run on the target computer, the script is then executed.
Exploiting a security breach the script creates and runs backdoor components on victim computers. Upon execution the components install themselves into the system, and run a backdoor routine. The main backdoor component is registered in two system registry auto-run keys:
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
Time Zone Synchronization = wscript "%Cookies folder%zshell.js"
The backdoor uses the 'Microsoft VM ActiveX Component' vulnerability. Please go to for more details.
To hide the backdoor's activity the Web page has the page Title and text in Russian:
Title: Why did you get here?
Text: Enter password to begin

In case a password is entered, additional text in Russian is displayed.
Netdex Password Screen:

Main Backdoor Component
The backdoor itself is a script program written in the Java Script language. Once each minute the backdoor receives from the host site a set of commands and executes them. This backdoor performs the following commands:
runs a command or specified local file
displays specified message on computer's desktop
updates itself
sends email on behalf of victim computer
terminates itself
See a full list of commands below.
Technical Details - Infecting
Step1 - opening the infected Web page
While infecting the Java Script on the hacker's web site's main HTML page, the following files are 'dropped' onto victim computers:
dropped file: DOS COM file named This files is saved to the Windows temp directory.
file dropped and executed: the Java script named zshell.js. This file is saved to the Windows 'Cookies' directory
Thus there are two new files on victim computers:
"%Cookies folder%zshell.js"
Step2 - Creating the Backdoor Component
The 'zshell.js' script that is run during Step1 performs two main actions:
Action1: - it creates the "transfer service" file - netd.exe - a Win32 EXE file.
To do this the script runs the '' file in the temporary folder. The '' file extracts from its code, decrypts and drops the 'netd.exe' file into the temporary directory. This file is then copied to the Windows 'Cookies' folder.
The 'netd.exe' program will then be used as a helper to send/receive data to/from the main backdoor's Web page. This helper program supports SMTP and HTTP protocols to transfer data to/from infected computers.
Action2: It downloads the file 'install.php' from the Web page, stores it with under the name 'o.js' and runs it.
To do this the script uses the "GET HTTP" command and 'netd.exe' transfer service.
Step3 - Installing the Backdoor
The 'o.js' script that is run in Step2 performs the following actions:
Action1: it downloads the 'sh.php' file from Web page, stores it under the 'zshell.js' name, and executes it. The file 'zshell.js' is the main backdoor component.
Action2: it creates registry auto-run keys that will start the main backdoor component (zshell.js) upon Windows restart.
Action3: it creates the backdoor auto re-run script file.
To do this the 'o.js' script creates a new 'repost.html' file in the Windows Cookies folder:
"%Cookies folder%repost.html"
and writes a script program to this location that runs the zshell.js file (main backdoor component).
The repost.html file is then registered in the registry key:
HKLMSOFTWAREMicrosoftInternet ExplorerAboutURLsPostNotCached
This script, in some cases, is then automatically run by Internet Explorer, and the main backdoor script gains control.
This completes the installation.
Backdoor Commands:
EXIT - terminates the backdoor program

NOBREAK - does nothing

SETCMDURL - stores new host (Web page) to communicate with

RUN - run command (from argument)

SENDMAIL - sends email message - SMTP is read from the "HKCUSoftwareMicrosoftInternet Account ManagerAccounts0000001SMTP Server", or "" is used in case of an error

UPDATE - downloads file and stores it to the "%Cookies folder%zshell.js"

ALERT - displays a message

SLEEP - waits %n% minutes (%n% is in argument)

SENDCONFIRM - reports 'I am here'

RUNTHESELF - restarts itself from the "%Cookies folder%zshell.js"

Top Viruses Visited Pages:
Baboo - 685 visits
Invader. - 546 visits
Firstling.199 - 271 visits
Spartak.110 - 243 visits
Macro.Excel.Hidemo - 242 visits
Coito.64 - 237 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 235 visits
Worm.P2P.Harex. - 233 visits
Small.58. - 225 visits
DDoS.Win32.Kozo - 206 visits

Random Viruses Pages:


2006-2008 - Privacy Policy