|
Friday, 29 April 2005 |
Backdoor.Lingosky is a Trojan horse that opens a back door and allows the compromised computer to be used as a covert proxy.
Also Known As: Backdoor.Win32.Agent.jk [Kaspersky Lab]
Type: Trojan Horse
Infection Length: Varies
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP
When Backdoor.Lingosky is executed, it performs the following actions:
Drops the following files:
VGX16.DLL
COMLM.DLL
%ProgramFiles%Common FilesMicrosoftVGXVGX32.dll
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:Program Files.
Creates the following file, if it does not already exist:
%Windir%Temp~ifpw.dat
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Injects VGX32.dll into either lsass.exe or services.exe.
Opens a back door on TCP port 1024 and allows a remote attacker to steal confidential information from the compromised computer.
Connects to the following locations:
http://[unknown domain]/up.asp?up=123
http://[unknown domain]/list.asp
http://[unknwon domain]/add.asp
Adds the following values:
"Gateway" = "[IP address]"
"Port" = "1024"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftTcpipCurrentVersion
to open a covert proxy.
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftTcpipCurrentVersion
In the right pane, delete the values:
"Gateway" = [IP address]
"Port" = "1024"
Exit the Registry Editor.
|
