Posted by: Amker
« on: 16. June 2007., 15:16:58 »This trojan is a remote access trojan. There are several variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan. The description is a general guide. Newer variant requires the latest DATs for detection.
Aliases
Backdoor:Win32/Glupzy.A (Microsoft)
Trj/Flashy.A (Panda)
Troj/Glupzy-A (Sophos)
Trojan.Win32.Disabler.i (Kaspersky)
Win32/Glupzy.A (CA)
WORM_FLASHY.B (Trend Micro)
Characteristics -
Upon execution, the trojan drops itself to the following file:
%SystemDir%Flashy.exe
%UserProfile%\Start Menu\Programs\Startup\systemID.pif
It modifies the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flashy Bot" = %SystemDir%Flashy.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoFolderOptions" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1
The trojan creates the mutex named "||Flashy||" to ensure only one instance is running. It runs the telnet service by running the following command.
"net start telnet"
It also runs the following command.
"user adminitdHator hacked"
Symptoms -
Presence of the files mentioned.
Presence of the registry key mentioned:
Unexpected port open on the victim machine: (telnet service: tcp/23)
Method of Infection -
Some variants can copy themselves to the following drives.
D:
E:
F:
G:
H:
I:
J:
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
McAfee
Aliases
Backdoor:Win32/Glupzy.A (Microsoft)
Trj/Flashy.A (Panda)
Troj/Glupzy-A (Sophos)
Trojan.Win32.Disabler.i (Kaspersky)
Win32/Glupzy.A (CA)
WORM_FLASHY.B (Trend Micro)
Characteristics -
Upon execution, the trojan drops itself to the following file:
%SystemDir%Flashy.exe
%UserProfile%\Start Menu\Programs\Startup\systemID.pif
It modifies the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flashy Bot" = %SystemDir%Flashy.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoFolderOptions" = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1
The trojan creates the mutex named "||Flashy||" to ensure only one instance is running. It runs the telnet service by running the following command.
"net start telnet"
It also runs the following command.
"user adminitdHator hacked"
Symptoms -
Presence of the files mentioned.
Presence of the registry key mentioned:
Unexpected port open on the victim machine: (telnet service: tcp/23)
Method of Infection -
Some variants can copy themselves to the following drives.
D:
E:
F:
G:
H:
I:
J:
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
McAfee