Name: 23

 

Main: ²³Server.exe 11.5 KB (11,776 bytes)

 

Keys: Keys added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications

 

Keys deleted: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

Values added: 3

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\23\23\Freire Snpgbel\²³Freire.rkr"

                        Type: REG_BINARY

                        Data: 49, 00, 00, 00, 06, 00, 00, 00, 20, AE, 7E, 6D, FB, 1D, C1, 01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications "Imaging"

                        Type: REG_SZ

                        Data: C:\WINDOWS\KodakImg.Exe /StiDevice:%1 /StiEvent:%2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications "PhotoImpact"

                        Type: REG_SZ

                        Data: C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTOIMPACT 6\IEDIT.EXE /StiDevice:%1 /StiEvent:%2

 

Version: NA

 

Type: remote access trojan

 

Port/s used: 80 tcp

 

Files:  Files added: 2

             c:\WINDOWS\Shedule.exe Size: 11,776 bytes

            c:\WINDOWS\SYSTEM\VMM32\Ebios32.vxd Size: 6,000 bytes

 

Modifies: none

 

Aliases:  none

 

Behaviour: once executed, the server will run in stealth and will only open up a port when a connection to the internet is detected. The server also has a real stealth option, meaning that it can hide from process viewers by using VXD drivers to run hidden.

 

Removal: Open up regedit (click start, go to run and type regedit, then hit ok)

Follow this path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage

Right click on the StillImage key and choose delete.

 

Delete: c:\WINDOWS\SYSTEM\VMM32\Ebios32.vxd Size: 6,000 bytes, then reboot.

 

Finally, delete: c:\WINDOWS\Shedule.exe Size: 11,776 bytes

 

Special: Uses an uncommon registry entry to make detection difficult. The server is very small and is very easily configured with the server factory tool that comes with the trojan.

Read the notes section for more information.

 

Author: w0w (world of wonder)

 

Notes: This is a very dangerous trojan, at the time of testing it was not detected by any anti virus and anti trojan software. The server has some unique features such as guestbook cgi notification; the hacker can set up a web page and put a cgi guest book on his/her site, every time the victim comes online an entry will be made in this guest book, alerting the hacker that the victim is online. Another boasted feature is the ability to hide from process managers and viewers, it is assumed that the trojan uses VXD drivers for this, similar to the ring0 method.

 

The server also has the ability to kill the following security related software on the victims machine:

AtGuard Firewall

Norton Firewall

McAfee Firewall

ConSeal Firewall

Sphinx Firewall

ZoneAlarm Firewall

BlackICE

The Cleaner Monitor             

LockDown Disconnection Mode

LockDown Network Monitor

LockDown Process Monitor

LockDown 2000 Auto-Update

LockDown Connection Monitor

File Monitor

Registry Monitor

TDS-3 Professional