cxcx::
backdoor systems :: xcxc
the art of ethical hacking in a live show
APRIL 7TH, 2006
9:30 AM - 11:30 PM EST
the art of ethical hacking in a live show
APRIL 7TH, 2006
9:30 AM - 11:30 PM EST
These days G-Trojans are really common among hackers, although this doesn't mean that they know all the abilities of these little lovely scripts.
Let's see some of the visual abilities of these tiny scripts.
- File controls
- Erase harddrives and other disks
- Execute programs
- Upload / Download
- Copy, Delete, Move, Rename
- Monitoring
- Can see your screen as you see it
- Log any/all keypresses (even hidden passwords)
- Move mouse
- Open/close/move windows
- Network control
- Can close connections
- Can see all open connections to and from your computer
- Can 'bounce' or relay from their system to yours, so wherever they connect it seems as if You are doing it. This is how they prevent getting caught breaking into other computer systems and get You in trouble!
Name : Backdoor-G, Backdoor-G2.svr.21
Alias: Sub7, Subseven, Backdoor-G2, Backdoor-G2.gen, Backdoor-G2.svr.20, Subseven v2.0 , v2.1, v2.1 Gold
Variants: Backdoor-G, Backdoor-G.svr
It is a Windows 9x internet Backdoor trojan.
By default the trojan use TCP port 27374 but is configurable by the program. (Using a firewall you'll be surprised how many scans you have daily on that port. On port 27374, 28431, 47624, )
When running it gives unlimited access to the system ( your computer) to anyone running the appropriate client software. You are the server at that moment.
The trojan installs 3 files, in Windows and Windows\System.
The main exe is installed in the Windows folder
(NoName.exe, the filename can be changed by the Trojan's configuration program).
It is used to load the main trojan server.
This is found in the run line of WIN.INI Run= MSREXE.EXE
In HKEY_CLASSES_ROOT a key .dl was created.
Removal
On the Windows taskbar, click Start and then Run.
Type regedit (for W9x) or regedt32 (for Windows NT), enter
Modify the following Registry value, key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command\
In this key it should contain only this value "%1" %* and nothing else.
Change "mueexe.exe "%1" %*" to ""%1" %*"
Don't forget the space between " and %. ("%1"spacebar%*)
HKEY_CLASSES_ROOT\.dl
Delete this key ( directory), .dl is running like a .exe, is a created key (dir) by the trojan.
Delete Windows\System\MSREXE.exe file.
Edit WIN.INI and remove the run=line reference to the trojan (run=MSREXE.exe), mostly used by backdoors.
Optional check ?:
1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete any keys that runs the main trojan
2. Edit SYSTEM.INI and remove the shell=line reference to the trojan. It should only contain the Explorer.exe file.
3.Check the C:\WINDOWS\START_MENU\PROGRAMS\STARTUP folder.
Server patch is installed here, delete it. Program was uploaded true FTP and tries to install itself the next time your start the computer.
4. Restart your computer.
Finished.
Depending the variant of the Backdoor-G, files could be created like:
NODLL.exe (main Trojan), RUN.exe, WINDOWS.exe, WINDOW.exe, SERVER.exe, KERNEL16.dl (.dl and not .dll),
WATCHING.dll or LMDRK_33.dll (in Windows\System),
MUEEXE.exe (mueexe.exe causes the operation system to run the load program every time an exe file is started),
Backdoor-G.dll (server program to monitor internet connections client),
BackDoor-G.cli and BackDoor-G.cfg (filenames can be changed)
So allways be suspicious of .exe, .shs, MS Word and MS Excel file attachments.
And the files you recieve from Pooyan, as well.
Copyright 2006 Pooyan.