Name: Backend

 

Main: backend.exe size 101 KB (103,556 bytes)

 

Keys:  Values added: 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\OnpxRaq\ONPXRAQ.RKR"

                        Type: REG_BINARY

                        Data: 68, 00, 00, 00, 06, 00, 00, 00, 60, B7, 27, 23, D2, C2, C0, 01

 

Values changed: 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

                        Old type: REG_BINARY

                        New type: REG_BINARY

                        Old data: 68, 00, 00, 00, 82, 02, 00, 00, 20, A5, 66, EB, D1, C2, C0, 01

                        New data: 68, 00, 00, 00, 83, 02, 00, 00, 60, B7, 27, 23, D2, C2, C0, 01

 

 

Version: NA

 

Type: remote admin client for back orifice

 

Port/s used: default port 31337 udp

 

Files: c:\backend.ini   Size: 4 bytes, c:\ipadd.dat   Size: 0 bytes

 

Modifies: none

 

Aliases:  Back Orifice

 

Behaviour:  This isn’t a trojan server and does not infect, it does create two files once executed in c:\ one is called backend.ini the other is ipadd.dat

 

Removal: does not infect

 

Special: This is a easier to use client for back orifice trojan, it also has some unique functions not seen in back orifice, one of the more unique functions is the search for resume feature that looks for the victims resume (this gives the hacker a lot of information about his/her victim).

 

Author: NA

 

Notes:  This program relies on the user having the back orifice client, if this isn’t found then it wont work.