NIPC CyberNotes #2002-12 Page 31 of 33 06/17/2002
Trojan Version CyberNotes Issue #
VBS_THEGAME.A
N/A CyberNotes-2002-03
W32.Alerta.Trojan
N/A CyberNotes-2002-05
W32.Delalot.B.Trojan
N/A CyberNotes-2002-06
W32.DSS.Trojan
N/A CyberNotes-2002-09
W32.Libi
N/A CyberNotes-2002-10
W32.Maldal.J
N/A CyberNotes-2002-07
W32.Tendoolf
N/A CyberNotes-2002-09
WbeCheck
N/A CyberNotes-2002-09
Backdoor.AntiLam: This s a typical backdoor Trojan, which gives a remote malicious user unobstructed
access to your computer. When Backdoor.AntiLam is run, it does the following:
● It copies itself into the %Windows% folder. The exact file names that are used by the Trojan
may vary from version to version, because the malicious user who creates this backdoor
Trojan can choose any desired file name. By default, the file name is Scandisk.exe (NOTE:
%Windows% is a variable. The worm locates the \Windows folder (by default this is
C:\Windows or C:\Winnt) and copies itself into that location.)
● It adds the value: MS Scandisk <dropped file such as Scandisk.exe> to the registry key:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
● It also adds the value: Start ok to the registry key:
● HKEY_LOCAL_MACHINE\Software\Microsoft\DirectX
The Trojan then opens an HTTP connection to a Web server that the malicious user chooses, and posts
victim information to a script at that Web site. If Backdoor.AntiLam is run, it allows the malicious user to
remotely take control over the compromised computer, and can include:
● Repeatedly open a TCP port
● Display a fake error message to conceal its true nature
● Full control over the file system
● Upload to and download from the host computer
● Run files of the hacker's choice
● Display messages
● View the screen
● Log keystrokes
● Annoying actions, such as manipulate the keyboard or mouse, open and close the CD-ROM
drive, turn the monitor on and off, and so on.
Backdoor.Crat: Backdoor.Crat allows a malicious user to remotely control an infected computer. It is
written in the Delphi program language and compressed with Ezip. When Backdoor.Crat runs, it copies
itself to the %System% folder. The exact file names and port numbers that it uses may vary from version to
version, because the malicious user who creates this Backdoor Trojan can choose any desired file name.
For example, the file name can be Winload.exe. It adds the value:
● WinDLL C:\%System%\<dropped file name>
to the registry key:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Backdoor.FTP_Bmail (Aliases: Backdoor.FTP.Bmail, BackDoor-ABH): This is a Trojan horse that
allows a malicious user to remotely control an infected computer. It disguises itself as an FTP downloader
for e-mail software. When you run Backdoor.FTP_Bmail, it tries to connect to a FTP server. The Trojan
contains the following string in its code:
● "Would you like to download Bmail.. Bmail is a talking E-mail software that works with POP
and other e-mail accounts. Its works with Yahoo and Onebox also.
More will be added soon.."
Besides opening the FTP connection, the Trojan opens TCP port 5135 and a randomly changed TCP/UDP
port. This gives a remote attacker access to the compromised computer. The Trojan adds a value:
● setFTPBack C:\%system%\createsw.exe
(51 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales