Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42863
  • Total Topics: 16072
  • Online Today: 1529
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: BackDoor-DIY  (Read 3659 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
BackDoor-DIY
« on: 16. June 2007., 15:16:58 »
This trojan is a remote access trojan. There are several variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan. The description is a general guide. Newer variant requires the latest DATs for detection.
Aliases
Backdoor:Win32/Glupzy.A (Microsoft)
Trj/Flashy.A (Panda)
Troj/Glupzy-A (Sophos)
Trojan.Win32.Disabler.i (Kaspersky)
Win32/Glupzy.A (CA)
WORM_FLASHY.B (Trend Micro)
Characteristics -


Upon execution, the trojan drops itself to the following file:
%SystemDir%Flashy.exe
%UserProfile%\Start Menu\Programs\Startup\systemID.pif

It modifies the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flashy Bot" = %SystemDir%Flashy.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 "Hidden" = 2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoFolderOptions" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1

The trojan creates the mutex named "||Flashy||" to ensure only one instance is running. It runs the telnet service by running the following command.
"net start telnet"

It also runs the following command.
"user adminitdHator hacked"

 
Symptoms -

Presence of the files mentioned.
Presence of the registry key mentioned:
Unexpected port open on the victim machine: (telnet service: tcp/23)
Method of Infection -


Some variants can copy themselves to the following drives.
D:
E:
F:
G:
H:
I:
J:
Removal -


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

BackDoor-DIY
« on: 16. June 2007., 15:16:58 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising