|
Tuesday, 31 May 2005 |
Virus Information Backdoor.Kotilla is a back door Trojan horse that allows unauthorized access to a compromised computer. It contains an editor that allows components to be reconfigured and the remote attacker is notified via a specified IRC channel when a computer is compromised.
Type: Trojan Horse
Infection Length: 50,749 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Backdoor.Kotilla is executed, it performs the following actions:
Copies itself as %Windir%svchost.exe.
Notes:
This file is not to be confused with the legitimate svchost.exe in the %System% directory.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Adds the value:
"System" = "[hex ASCII value of path to Trojan]56 73 76 63 68 6F 73 74 2e 65 78 65"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the risk runs every time Windows starts.
Note: The hex value points to %Windir%svchost.exe.
Runs under the common process name svchost.exe so as not to draw attention to the Trojan.
Attempts to notify the attacker via TCP port 6667 that the computer has been compromised. However, the specific channel and port are configurable.
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
"System" = "[hex ASCII value of path to Trojan]56 73 76 63 68 6F 73 74 2e 65 78 65"
Exit the Registry Editor.
----------------------------------------------------------------
|
