Ads Backdoor.Berbew.O Tuesday, 25 January 2005 Backdoor.Berbew.O is a Trojan horse program that steals passwords from a compromised computer. The Trojan opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. The Trojan also attempts to lower security settings in Internet Explorer. Also Known As: Backdoor.Win32.Padodor.gen [Kaspersky Lab], BackDoor-AXJ [McAfee] Type: Trojan Horse Infection Length: 77,918 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When Backdoor.Berbew.O is executed, it performs the following actions: Creates the following files: %System%[8 random characters].dll %System%[8 random characters].dll %System%[6 random characters]32.exe Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Creates several copies of the randomly named file %Temp%[8 random characters].htm. Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:WindowsTEMP (Windows 95/98/Me/XP) or C:WINNTTemp (Windows NT/2000). Opens the aforementioned .htm files in a hidden Internet Explorer window. Adds the value: "InProcServer32" = "C:\%System%[8 random characters].dll" to the registry subkey: HKEY_CLASSES_ROOTCLSID{7CFBACFF-EE01-1231-ABDD-416592E5D639} so that it is executed every time Windows starts. Adds the value: "Web Event Logger" = "{7CFBACFF-EE01-1231-ABDD-416592E5D639}" to the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ShellServiceObjectDelayLoad so that it is executed every time Windows starts. Adds the value: "MGR" = "[random string]" to the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftIE4 as an infection marker. Adds the value: "1601" = "0" to the registry subkeys: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones1 HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones2 HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones3 HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones4 to lower the security settings in Internet Explorer. Adds the value: "GlobalUserOffline" = "0" to the registry subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings to lower the security settings in Internet Explorer. Opens a back door on the compromised computer using a random port, which allows a remote attacker to have unauthorized access. The remote attacker may also use the compromised computer as a covert proxy. Steals passwords from the compromised computer and the installed keylogger intercepts data entered into forms in Internet Explorer. Sends the stolen information to the attacker by sending query strings to www.soplitekut.com. Uses rootkit technology to hide the processes and files associated with the Trojan.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.