RASTABT
1
Lastest Virus threats. 1st July 2003
Backdoor.Kodalo is a Backdoor Trojan Horse that gives the author of the Trojan full access to an infected computer. By default, the Trojan listens on port 25025, 25026, or 25044.
When Backdoor.Kodalo is executed, it does the following:
Copies itself as %System%\PowerManager.exe. The file attributes are set to Archive and Hidden.
NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"Power Manager"="%System%\powermanager.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registers itself as a service process.
Listens on port 25025 and waits for commands from the Trojan's author.
Backdoor.Dsklite.cli is the client side of Backdoor.Dsklite, and allows unauthorized access to an infected computer. This Trojan Horse is written in Microsoft Visual Basic and may or may not be packed.
Backdoor.Dsklite.cli uses configurable ports to connect a client to a server. A client may create multiple server profiles. When run, this Trojan gives the attacker the ability to:
Stop antivirus and firewall software on the server.
Manipulate files and directories.
Edit registries.
Capture screen shots and password information.
Enable the Webcam.
Stop the server processes altogether.
Chat with and harass the user of the server.
The Trojan stores its information in HKEY_LOCAL_MACHINE\Software\DSK.
Further, the attacker may save the server executable in a UPX- or FSG-packed file, or in an unpacked file.
Backdoor.Dsklite is a Backdoor Trojan Horse that gives the author of the Trojan full access to an infected computer. By default, this Trojan listens on port 890.
When Backdoor.Dsklite is executed, it does the following:
If it is the first time that the Trojan is run, it displays a fake message
When Backdoor.Dsklite is executed for the first time, it displays a fake message, with the title "Error." Refer to the illustration in the Technical Details section for a representation of this message.
Backdoor.Dsklite is written in Microsoft Visual Basic (VB). The VB run-time libraries are required to execute Backdoor.Dsklite
Copies itself as %Windir%\Winlogon.exe.
NOTE: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Inserts and executes the batch file, %System%\Kernel.bat, to terminate several security products.
NOTE: %System% is a variable. The Trojan locates the System folder and inserts a malicious batch file to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Removes all the entries from the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Adds the value:
"Windows Logon Application"="%Windir%\winlogon.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sends notifications to the author of the Trojan through the Internet and ICQ.
Listens on port 890 and waits for commands from the Trojan's author.
More info can B found Virus Treats
Backdoor.Kodalo is a Backdoor Trojan Horse that gives the author of the Trojan full access to an infected computer. By default, the Trojan listens on port 25025, 25026, or 25044.
When Backdoor.Kodalo is executed, it does the following:
Copies itself as %System%\PowerManager.exe. The file attributes are set to Archive and Hidden.
NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"Power Manager"="%System%\powermanager.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registers itself as a service process.
Listens on port 25025 and waits for commands from the Trojan's author.
Backdoor.Dsklite.cli is the client side of Backdoor.Dsklite, and allows unauthorized access to an infected computer. This Trojan Horse is written in Microsoft Visual Basic and may or may not be packed.
Backdoor.Dsklite.cli uses configurable ports to connect a client to a server. A client may create multiple server profiles. When run, this Trojan gives the attacker the ability to:
Stop antivirus and firewall software on the server.
Manipulate files and directories.
Edit registries.
Capture screen shots and password information.
Enable the Webcam.
Stop the server processes altogether.
Chat with and harass the user of the server.
The Trojan stores its information in HKEY_LOCAL_MACHINE\Software\DSK.
Further, the attacker may save the server executable in a UPX- or FSG-packed file, or in an unpacked file.
Backdoor.Dsklite is a Backdoor Trojan Horse that gives the author of the Trojan full access to an infected computer. By default, this Trojan listens on port 890.
When Backdoor.Dsklite is executed, it does the following:
If it is the first time that the Trojan is run, it displays a fake message
When Backdoor.Dsklite is executed for the first time, it displays a fake message, with the title "Error." Refer to the illustration in the Technical Details section for a representation of this message.
Backdoor.Dsklite is written in Microsoft Visual Basic (VB). The VB run-time libraries are required to execute Backdoor.Dsklite
Copies itself as %Windir%\Winlogon.exe.
NOTE: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Inserts and executes the batch file, %System%\Kernel.bat, to terminate several security products.
NOTE: %System% is a variable. The Trojan locates the System folder and inserts a malicious batch file to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Removes all the entries from the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Adds the value:
"Windows Logon Application"="%Windir%\winlogon.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sends notifications to the author of the Trojan through the Internet and ICQ.
Listens on port 890 and waits for commands from the Trojan's author.
More info can B found Virus Treats