|
Friday, 30 December 2005 |
Backdoor.Dckane is a back door program that allows a remote attacker to have unauthorized access to the compromised computer.
Type: Trojan Horse
Infection Length: 51,712 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When Backdoor.Dckane is executed, it performs the following actions:
Creates the following file:
%System%kane.exe
%System%kane.dll
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Modifies the values:
"Shell" = "Explorer.exe kane.exe"
in the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
so that it runs every time Windows starts.
Attempts to inject itself into Explorer.exe.
Opens a back door on the compromised computer by connecting to the kane.oicp.net domain.
Listens and awaits commands from a remote attacker.
To delete the value from the registry:
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
In the right pane, restore the value to:
"Shell" = "Explorer.exe"
Exit the Registry Editor.
|
