NIPC CyberNotes #2002-12 Page 32 of 33 06/17/2002
to the registry key:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Backdoor.GSpot (Alias: Trojan.W32.G-Spot):This is a Trojan horse which allows unauthorized access
to an infected computer by using the GSpot client program. It is the server portion of the GSpot client. If it
is installed, it drops the file \Windows\System\Msregdrv32.exe. It adds the value, “Video Driver,” to the
registry key:
● HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
When installed, the Trojan displays the file \Windows\Temp\Temp2.jpg. This file is not malicious and can
be deleted. It also drops the file \Windows\Temp\Temp1.exe, which is identical to Msregdev32.exe, and
should also be deleted. This Delphi code uses sockets to look for open ICQ connections and possible hosts.
Backdoor.Latinus (Alias: Backdoor.Trojan): Backdoor.Latinus allows a malicious user to remotely
control an infected computer. There are numerous versions of this Trojan.
Backdoor.Nota: This is a typical Backdoor Trojan that allows a malicious user to gain access to and
remotely control an infected computer. The Trojan program is written in the Delphi programming language
and compressed with UPX. When Backdoor.Nota runs, it copies itself as:
● C:\%System%\ActiveDesktop.exe
● C:\%Windows%\Mdm.exe
● C:\%Windows%\winfat32.exe
● C:\%Windows%\All Users\Start Menu\Programs\StartUp\Explorer.exe
It modifies the following system files:
● C:\Windows\Win.ini. It adds the following lines to the [Windows] section:
load=run=SYSTEM\ActiveDesktop.exe
NullPort=None
● C:\Windows\System.ini. It adds the following line:
shell=Explorer.exe winfat32.exe
These changes cause the Trojan to be executed automatically when you start Windows. The Trojan opens
numerous TCP ports, including 61337 and other randomly chosen ports, to give the remote malicious user
unobstructed access to the compromised computer. The Trojan may drop the following files:
● C:\%Windows%\Scpt.sys
● C:\%Windows%\Temp254.ini
The Trojan uses these files to store stolen information.
Backdoor.Tron: This is a backdoor Trojan that allows unauthorized access to an infected system. This
backdoor attempts to kill the processes of several versions of the ZoneAlarm firewall and Tiny Personal
Firewall (version 2.0.15.0); this allows Backdoor.Tron to gain access to the system without being detected
by those firewalls.
BDS/ConLoader: This is a backdoor server program. It will potentially allow someone with malicious
intent backdoor access to your computer. If executed, the Trojan adds the following file to the \windows\
directory, "@ye." So that it gets run each time a user restart their computer the following registry key gets
added:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Configuration Loader"="@ýe"
TR/Win32.Rewin: Like other Trojans, TR/Win32.Rewin would potentially allow someone with malicious
intent backdoor access to your computer. If executed, the Trojan adds the following file to the \windows\
directory, "winrep.com." Additionally, the file "Dialer.com" also gets created in the \windows\%system%
directory. So that it gets run each time a user restart their computer the following registry keys get added:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Win32RG"="c:\\windows\\Winrep.com"
"Win32GR"="c:\\windows\\system\\Dialer.com"
(51 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales