Ads Backdoor.Fuwudoor Thursday, 24 March 2005 Backdoor.Fuwudoor is a back door Trojan that allows unauthorized access to a compromised computer and attempts to hide its presence. Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Once executed, Backdoor.Fuwudoor performs the following actions: Drops one or more of the following files: %System%ipsec.dll %System%appmgmt.dll %System%rowsvr.dll %System% rkw.dll %System% rks.dll %System%kdc.dll %System%dmsrv.dll %System%mesg.dll %System% etlogin.dll %System%protstrg.dll %System%lmhosts.dll %System%w32t.dll %System% tms.dll Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Registers the dropped .dll file as a service that may already exist on the computer, by modifying some service properties. Note: It may be difficult to notice the modifications to the existing services as the descriptions are not changed and the path to the executable is similar to the legitimate one. In this way the Trojan attempts to hide its presence on the compromised computer. Registers one or more of the following services: Display name: ProtectedStorage Path to executable: %Windir%system32svchost.exe -k ProtectedStorage Display name: Messenger Path to executable: %Windir%system32svchost.exe -k Messenger Display name: Policy Agent Path to executable: %Windir%system32svchost.exe -k Policy Agent Display name: AppMgmt Path to executable: %Windir%system32svchost.exe -k AppMgmt Display name: Browser Path to executable: %Windir%system32svchost.exe -k Browser Display name: TrkWks Path to executable: %Windir%system32svchost.exe -k TrkWks Display name: TrkSvr Path to executable: %Windir%system32svchost.exe -k TrkSvr Display name: kdc Path to executable: %Windir%system32svchost.exe -k kdc Display name: dmserver Path to executable: %Windir%system32svchost.exe -k dmserver Display name: NetLogon Path to executable: %Windir%system32svchost.exe -k NetLogon Display name: LmHosts Path to executable: %Windir%system32svchost.exe -k LmHosts Display name: W32Time Path to executable: %Windir%system32svchost.exe -k W32Time Display name: ntmssvc Path to executable: %Windir%system32svchost.exe -k ntmssvc Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt. Adds the value: "ServiceDll" = "%Windir%system32 tms.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices tmssvcParameters Adds the value: "ServiceDll" = "%Windir%system32w32t.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters Adds the value: "ServiceDll" = "%Windir%system32lmhosts.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLmHostsParameters Adds the value: "ServiceDll" = "%Windir%system32 etlogin.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogonParameters Adds the value: "ServiceDll" = "%Windir%system32dmsrv.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesdmserverParameters Adds the value: "ServiceDll" = "%Windir%system32kdc.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdcParameters Adds the value: "ServiceDll" = "%Windir%system32 rks.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkSvrParameters Adds the value: "ServiceDll" = "%Windir%system32 rkw.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkWksParameters Adds the value: "ServiceDll" = "%Windir%system32rowsvr.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBrowserParameters Adds the value: "ServiceDll" = "%Windir%system32appmgmt.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAppMgmtParameters Adds the value: "ServiceDll" = "%Windir%system32ipsec.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesPolicyAgentParameters Adds the value: "ServiceDll" = "%Windir%system32mesg.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMessengerParameters Adds the value: "ServiceDll" = "%Windir%system32protstrg.dll" to the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProtectedStorageParameters Creates the following driver file in an attempt to hide the activities of the back door on the network: %System%Driversusb2.sys Adds the value: "ImagePath" = "system32Driversusb2.sys" to the registry subkey: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesusb2 Contacts a server on the winupdate.myserver.com domain, and notifies it of its existence. Opens a back door on the compromised computer and may allow a remote attacker to perform the following activities: Send GET or POST requests to a HTTP server Show or terminate running processes or threads Execute commands To reverse the changes made to the registry Click Start > Run. Type regedit Then click OK. Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices tmssvcParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32 tms.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32w32t.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLmHostsParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32lmhosts.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogonParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32 etlogin.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesdmserverParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32dmsrv.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskdcParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32kdc.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkSvrParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32 rks.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTrkWksParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32 rkw.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBrowserParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32rowsvr.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAppMgmtParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32appmgmt.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesPolicyAgentParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32ipsec.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMessengerParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32mesg.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProtectedStorageParameters In the right pane, delete the value: "ServiceDll" = "%Windir%system32protstrg.dll" Navigate to the subkey: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesusb2 In the right pane, delete the value: "ImagePath" = "system32Driversusb2.sys" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.