Name: Barok 1.0

 

Main: server.exe, size 44.0 KB (45,056 bytes)

 

Keys:  Keys added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Barok

HKEY_LOCAL_MACHINE\SOFTWARE\Barok\ver 1.0

 

Values added: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WCheckUp"

                        Type: REG_SZ

                          Data: C:\WINDOWS\SYSTEM\WCheckUp.exe

 

Values changed: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network "DisablePwdCaching"

                        Old type: REG_DWORD

                        New type: REG_DWORD

                        Old data: 01, 00, 00, 00

                        New data: 00, 00, 00, 00

 

Version: 1.0

 

Type: email password stealer

 

Port/s used: 25 (smtp)

 

Files: c:\WINDOWS\SYSTEM\WCheckUp.exe Size: 45,056 bytes

 

Modifies: none

 

Aliases:  none

 

Behaviour:  Once executed the server will start gathering passwords from the remote machine. It steals (ras and cache) passwords, including phone number, ip address, dns address and win address.

 

Removal: go to start, then to run and type regedit then hit ok, when regedit opens follow this path

HKEY_LOCAL_MACHINE\SOFTWARE\Barok

Right click on the Barok key and choose delete.

 

Now follow the following path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for the value "WCheckUp" right click on it and choose delete

 

Special: This is a easier to use client for back orifice trojan, it also has some unique functions not seen in back orifice, one of the more unique functions is the search for resume feature that looks for the victims resume (this gives the hacker a lot of information about his/her victim).

 

Author: spider, GRAMMERSoft Group

 

Notes:  This program relies on the user having the back orifice client, if this isn’t found then it wont work.