Name: BackConstruction 2.5

 

Main: Server.exe Size: 189,440 bytes

 

Keys:  values added: 2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\OnpxPbafgehpgvba2.5\Freire.rkr"

                        Type: REG_BINARY

                        Data: 5F, 00, 00, 00, 06, 00, 00, 00, E0, 88, 47, 1D, 4E, BD, C0, 01

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"

                        Type: REG_SZ

                        Data: C:\WINDOWS\Cmctl32.exe

 

Version: 2.5

 

Type: remote access file server

 

Port/s used: 5401, 5402 and 666 tcp

 

Files:   c:\WINDOWS\Cmctl32.exe Size: 189,440 bytes

 

Modifies: deletes c:\unzipped\BackConstruction2.5\Server.exe Size: Size: 189,440 bytes

 

Aliases: none    

 

Behaviour: Once executed will delete the server then add a new file here:

c:\WINDOWS\Cmctl32.exe Size: Size: 189,440 bytes

 

Removal: click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Look for a value named "Shell" right click on it and choose delete.

Reboot, then find and delete the following file:  c:\WINDOWS\Cmctl32.exe Size: 189,440 bytes

 

Special: this trojan has the ability to use the infected machine as an smtp server, allowing spam or anonymous email to be sent by the hacker through the infected machine, effectively “framing” the infected machine

 

Author: p23h

 

Notes: This trojan just opens up a file server on the infected computer allowing full read/write access