Common
Trojans and there removal Details
* Master of Paradise
->Does not restart automaticaly.
*Original Server Puts a neat Icon In the Tray , while the modified version puts an NULL icon in the Tray, which means it looks like a space between original icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't look suspicious.
*Original Server Exe is exactly 327.680 bytes.
*Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)
* Back Orifice
->The Father of all GUI Trojans usually the key is:
1)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> Standard Value .exe *There is a space before the .exe
2)When used With SilkRope the key is something like
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 412124.TMP Value=412124.TMP
*Wierd numbers with the ending TMP.
* Original Boserve.exe is exactly 124.928 Bytes
With BT Plugin it is something around 193.149 Bytes
Crypted Verion called Infector is 184.832 Bytes
Size may vary due to lot of plugins
* Deep Thoat 2 (recognized by AVP)
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sytemtray Value c:\windows\systray.exe *Can be renamed.
-> Not as easy to remove because it checks if Key in registry exists, if not it adds
it again, so simply removing the Key won't work. --> 3 possibilities
1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe
(The original systemtray.exe is in C:\windows\system\systray.exe)
2)Use programms able to KILL programs in memory
And then simply delete the systray.exe in c:\windows
* Netbus Pro 2 + Beta + Netrex
->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote
Control Program. Neitherway there are versions out which run invisible to the User
The standard key is as always. There are 2 Versions out (that I know)
1) Original NetbusPro 2 + Beta
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.
To identify if it's surely NetbusPro which is running
->HKEY_CURRENT_USER\NetBus
->HKEY_CURRENT_USER\NetBus Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary
->HKEY_CURRENT_USER\NetBus Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nbsvr.exe has exactly 612.966 Bytes
2) The Version called Netrex
->Someone Disassembled the file and recompiled it
To identify if it's surely NetRex which is running
->HKEY_CURRENT_USER\NetRex
->HKEY_CURRENT_USER\NetRex Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary
->HKEY_CURRENT_USER\NetRex Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nrsvr.exe has exactly 326.144 Bytes
*HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called
Log.txt in the same directory as the server is installed usually C:\windows
But as always there may be versions which DO NOT write the log.
* Wincrash (old version)
->Seems not to restart, thus should be rare
*Original Server Exe size is exactly 182.227 Bytes
*Suplement to the server exe but not needed are:
Win32cfg.exe exactly 4.128 Bytes
cfg95.exe has exactly 79.242 Bytes
* Millenium
->That's a little bastard.
When installing a little message box pops up saying <The System is being updated>.
It copies itself in the c:\windows\system directory with the name reg666.exe
AND to C:\WINDOWS\SYSTEM\regersys.ocx.
The keys Are:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Millenium Value=reg666.exe
*AND in win.ini adds run=C:\windows\system\reg666.exe
Removing is a little bit difficult because this trojan has some neat self-check
routine, if you remove the Key in the registry it adds it again, if you remove
the win.ini key it adds the key again, this tricky thing has also a backup
in regersys.ocx which it renames again to reg666.exe.
You see it's quite difficult if you don't know dos. -> 2 possibilities
1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe
AND regersys.ocx (The names are always the same)
2)Use programms able to KILL programs in memory
And then simply delete thereg666.exe from c:\windows\system don't forget to to delete the c:\windows\system\regersys.ocx
* The exact size of reg666.exe is 48.128 Bytes
*Gate Crasher
->This one is different from 2 point of view's
1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC
YES this ones can infect using a Word Macro.
The Word Macro Contains the Words >>This file once opened checks to see.
if you have the latest version of winsck.ocx and you have so no updates
are available<<->Nice Spelling
2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)
If it's active it opens it's ports. So it isn't detecable up-on start
Actually it's fake Port watcher.
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer Value=EXPLORE.exe
*Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat
Port.dat size is exactly 94.208 Bytes
Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)
Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)
|
->Shows the name FullBrock (author's name ?)
*Net Monitor (old version)
->Rare Chinese Trojan (The readme is a must see :)
Trojan doesn't restart. Only runs once
Spy Server exe has exaclty 30.720 Bytes
* Devil 1.x
->French Trojan
Trojan doesn't restart. Only runs if program is excecuted
Comes with a lot of fake apps but none of them runs the original
program.
Icqflood.exe has exaclty 24.576 Bytes
Opscript.exe has exactly 61.952 Bytes
Socket.exe has exactly 355.840 Bytes
winamp34.exe has exactly 690.688 Bytes
Wingenocide.exe has exactly 67.584 Bytes
Winrar.exe has exactly 687.616 Bytes
* GirlFriend (recognized by AVP)
->Russian Trojan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windll Value c:\windows\windll.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the windll.exe in c:\windows
*Hint* This Trojan is specialist in stealing Passes. Victim should
rename ALL passwords.
windll.exe has exactly 309.248 Bytes
windll.exe has exactly 189.196 Bytes (there are 2)
* Netbus 1.6 + 1.7 (recognized by AVP)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Patch Value c:\windows\patch.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe
2)Use programms able to KILL programs in memory
And then simply delete the patch.exe in c:\windows
*Hint*Netbus 1.7 saves the IP of attacker in c:\windows\access.txt
but only if he has restricted access to server with this IP.
->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini
Consists of the following : [Settings]
Port1=12345 *Obvious
ServerPwd=asl *Uncrypted
LogTraffic=1
MailTo=cocksucker@cf.com *Attacker e-mail
MailFrom=my@myself.com *yours
MailHost=127.0.0.1 *Smpt-Server
*Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real E-mail adress because I entered just the opposite)
The Patch.exe of netbus 1.6 has exactly 472.576 Bytes
The Patch.exe of netbus 1.7 has exactly 314.636 Bytes
The Whakamol.exe Fake game has exactly 314.636 Bytes
* Rare Version of NBP2
-> see netbus Pro 2
* Attack Ftp
->French Trojan (and therefore needs a few french Dll's)
What it Does ?
- Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe
- Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll
- Copies Install.exe in the System directory and renames the file in Wscan.exe
- Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.
- Writes to registry to launch Wscan.exe at next reboot
- Searches CD-rom drives
- Creates Serv-u.ini in the System directory
- Scans HD for TREE.DAT (password of Cute-FTP)
- Copies result to c:\windows\Result.dll
- Launches Drwatsom.exe
- Fakes a Error-Message
Remove:
Quoted from the authors Readme :
- Kill Drwatsom (Ctrl-Alt-Del)
- Execute the command : "Wscan.exe Louis_Cypher"
- Delete the Key
"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run"
Value wscan.exe
- Delete Wscan.exe from c:\windows\system
Size of the setup.exe is exactly 230.912 Bytes
* Streaming Audio Trojan
-> Sets Up a streaming Audio Server
Needs a lot of dll's and needs a registration before functionating achieved by
a Reg file which Registrates the serials. I think it's impossible
to setup it up with no physical access to the victim computer. (therefore rare)
* Hackcity Ripper Trojan
-> Only Ripps Passwords
Removes itself on next reboot.
*Hint* The Victim should change his Dial-Up Password immediatly.
*Telecommando
-> Basic Trojan
Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Systemapp Value ODBC.exe
1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the odbc.exe in c:\windows\system
*Icq Trojen
-> Dos Based Trojan (not very usefull)
Quoted from the readme
>>Icqtrogen.exe is made to be placed in your icq folder and move the real icq
to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it<<
Removing is quite easy.
-> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE
*Original Server EXE is exactly 39.424 Bytes.
->**Modified Version**
Doesn't need original ICQ.
Restarts not automatically.
*Modified Server Exe is exactly 27.779 Bytes
*Installer attached WITH BO is 188.438 Bytes
*Prority BETA
->New release, trojan needs Runtime-files (VB),
while pressing CTRL-ALT-DELETE the name pserver shows up.
The Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pserver Value pserver.exe (everytime)
*Original Server Exe is excactly 98.304 Bytes
*Deep BO
->Wide spread version of BO. Runs on specific port
removing see BO.
*Gjamer
->NO information avaible at this time. I need some info. (Mail me)
*Voodoo
->Needs all the lame Visual Basic Dll's
*Original Server Exe is excactly 36.864 Bytes.
*Ncw
The Key in the registry are :
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSSystemSet"="msset32.exe"
*Shadow Phyre
Copies to
c:\windows\system\inet.exe 200K
c:\windows\system\WinZipp.exe 200K
The Keys in the registry are :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /nomsg"
*Tiny Telnet Server
Copies to :
c:\windows\windll.exe 127488 Bytes
The Key in the registry is :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windll.exe"="C:\\WINDOWS\\Windll.exe"
*Kuang
Copies to :
c:\windows\_webcache_.exe
C:\WINDOWS\SYSTEM\Temp$1.exe
The Keys in the registry are :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebAccelerator"="_webcache_.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe"
*Netsphere
Copies to :
C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"
*FakeVirii
Copies to :
C:\WINDOWS\system\nssx.exe 36864 Bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe"
Firstly HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige