Name: Bigluk

 

Main: tnsrv.exe 124 KB (127,488 bytes)

 

Keys:  Keys added: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDU

 

Values added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDU "TCount"

                        Type: REG_DWORD

                        Data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windll.exe"

                        Type: REG_SZ

                        Data: C:\WINDOWS\Windll.exe

 

Version: NA

 

Type: Remote access trojan

 

Port/s used: 34324 tcp

 

Files: c:\WINDOWS\Windll.exe Size: 127,488 bytes

 

Modifies: none

 

Aliases:  none

 

Behaviour: Once executed the trojan creates the file windll.exe but does not delete the original server file, and does not run in stealth and can easily be seen by hitting ctrl-alt-del.

 

Removal: Hit ctrl-alt-del and click on windll and choose end task then go to c:\WINDOWS and delete Windll.exe Size: 127,488 bytes.

 

-Now open up regedit (go to run, type regedit and hit ok) and follow this path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for the windll.exe value and delete it.

 

-Using regedit again follow this path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDU

Right click on NetDDU and choose delete

 

Special: NA

 

Author: NA

 

Notes: At the time of testing the server file was only available, due to this not much information is known about the functions of the client etc.