Name: acid shivers modified

 

Main: ACiDShivers.exe    182kbs

 

Keys:  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer"

                        Type: REG_SZ

                        Data: C:\WINDOWS\MSGSVR16.EXE

           

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Explorer"

                        Type: REG_SZ

                        Data: C:\WINDOWS\MSGSVR16.EXE

 

Version: Modified version of the original

 

Type: Remote access/telnet

 

Port/s used: Random

 

Files:  c:\WINDOWS\MSGSVR16.EXE

            Size: 186,368 bytes

           

          c:\WINDOWS\TEMP\~DF11F.TMP

          Size: 1,536 bytes

 

Modifies: none

 

Aliases: acid shivers, acidkor

 

Behaviour: very similar to acidkor, once executed runs in stealth

 

Special: The port used is random; the hacker gets the port information via an email that this Trojan secretly sends him (the hacker configures the server with his email address)

 

Removal: Using regedit, go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In addition, delete the line, which reads:

Explorer = "C:\WINDOWS\MSGSVR16.EXE"

Also go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

In addition, delete the same line above.

(Explorer = "C:\WINDOWS\MSGSVR16.EXE")

Reboot your computer, and use windows explorer to go to

C:\windows\

And delete the file MSGSVR16.EXE

 

Author: Toasty