Name: Asylum 0.1.3

 

Main: server.exe, size 7.00 KB (7,168 bytes)

 

Keys:  NA

Version: 0.1.3

 

Type: Remote access/administration

 

Port/s used: 23432

 

Files:   none

 

Modifies:  c:\windows\system.ini, [boot] "shell"

                        Old value: Explorer.exe

                        New value: explorer.exe Winload.exe  (12 bytes difference)

                c:\windows\win.ini, [windows] "run"

                        Old value:

                        New value: C:\WINDOWS\Winload.exe (14 bytes difference)

 

Aliases: none    

 

Behaviour: once executed, the server will try and connect to the internet using your default dial up networking connection, the server then performs an illegal operation and shuts itself down. The test machine used was running windows ME so it may actually work on other versions of windows.

 

Removal: go to start, then to find and do a search for win.ini, when found double click on it and it will open up in windows note pad. Look for the heading at the top called [windows], under that heading look for run= C:\WINDOWS\Winload.exe, delete the C:\WINDOWS\Winload.exe part so it now reads run= close win.ini and choose save changes.

Now open up system.ini the same way and look for the heading [boot] under that heading look for shell=explorer.exe Winload.exe, delete the Winload.exe part so it reads shell=explorer.exe close and save changes.

Reboot, then delete c:\WINDOWS\Winload.exe Size: 7,168 bytes

 

Special: the server file for this trojan is tiny and could easily be binded to another executable without making much difference in file size. The server is also configurable allowing the hacker to be contacted via icq pager messages informing of the victims ip number and port that has been opened.

 

Author: Slim

 

Notes: the server didn’t work on the test machine; it infected but would shut itself down due to errors.