TL Security Trojan Removal Database

 

 

 

 

 

 

 


TLSecurity -> Removal Database

This Database is constantly updated.

To search this Document Press CTRL+F. Enter files, keywords. If any of your files looks suspicious enter the filename and search this document maybe you are infected with a Trojan/Backdoor . TLSecurity

 
Last Update : 14/05/00



* Updated 18-02-99

->added Icq Trojen
->added more info over GateCrasher
* Updated 28-02-99

->added Priority Trojan BETA (released 28-02-99)
->added DeepBO
->added Gjamer
* BIG update 01-03-99

->Wincrasher Details added
->New Master of Paradise variant
->Control du Socket (older version)
->Added Voodoo
->New Info and Modified Server of the Icq Trojen
->Added Evil Ftp
->Added NetSpy
->Added ShockWave
->Added
* update 30-04-99
->Added NCW
->Added Shadow Phyre
* update 05-10-99
->Added Tiny Telnet Server
->Added Kuang
->Added Netpshere
->Added FakeVirii

* update 05-11-99

->Added Satans Back Door

* update 05-12-99

->added Indoctrination

* update 05-19-99

->added JammerKillah12
->added AolTrojan

* update 05-22-99

->added Hack'a'tack

* update 05-23-99

->added The Unexplained

* update 05-28-99

->added Bla

* update 06-02-99

->added Progenic Trojan Beta1
->added Progenic Trojan Beta2

* update 06-08-99

->added Hack'a'ttack1.12
->added Bla1.1
->added HVL RAT. 5.3.0
->added BackConstruction 1.2

* update 06-12-99

->added Kuang (all)
->added Frenzy 1.01
->Kuang2 The Virus

* update 06-22-99

->added Netsphere Final
->added Schwindler 1.82

* update 06-26-99

->added Subseven 1.9
->added BackConstruction 2.1

* update 08-01-99

->added Vampire

* update 08-06-99

->added Trojan Spirit 2001 a

* update 08-08-99

->added Maverick'ss Matrix

* update 11-08-99

->added Total Eclypse

* update 13-08-99

->added Kuang2 loggerAS

* update 30-08-99

->added Vampire 1.2
->added BoBo 1.0

 

* update 07-09-99

->added Deep Throat 3.1

 

* update 08-09-99

->added TrojanSpirit 1.2

 

* update 10-09-99

->added Eclipse 2000

 

* update 18-09-99

->added Incommand 1.0

 

* update 29-09-99

-> added Schoolbus 1.6
-> added Logged!
-> added Brainspy
-> added Xplorer
-> added IRC3

* update 29-09-99

-> added OnlineKeylogger

* update 30-10-99

-> added Transcout 1.1 + 1.2
-> added Schoolbus 2.0

* update 13-11-99

-> added Ambush
-> added DerSpaeher

* update 07-12-99

-> added The Prayer 1.2 + 1.3

* update 21-12-99

-> added Netraider
-> added Subseven 2.x
-> added YAT

* update 25-12-99

-> added Incommand 1.3

* update 10-01-00

-> added Barock

* update 5-09-00

-> added Net Control
-> added Intruse Pack 1.27b

* update 5-12-00

-> added Snid X2

* update 5-14-00

-> added Prosiak 0.70 Beta
-> added Freak 88

 

 

TOC


Removal Instructions
Usefull Url's


* Socket de Troie

->Poeple infected by this, are somewhat fucked up because it also carries Script.ini (Worm)
The Trojan is actually a virus also, it infects all EXE's on the Harddrive making it nearly impossible to remove w/o using an AV software.

*Netbus 1.6 + 1.7
->Netbus 1.6's Password is breakable, the script will change the Pass to Letmein, so you can connect and remove the trojan from the victim.
BTW the port in NB 1.7 isn't always the same and can be changed.

* Rare version of Netbus 2 pro

->Netbus 2 pro is not as easy to setup as 1.6 or 1.7 was, so someone made an Installation
Programm setting it up autostarting AND running invisible. Runs on specific Port.


1.4 Removing Instructions AND Hints


* Master of Paradise (recognized by AVP) Not the modified

->Does not restart automaticaly.

*Original Server Puts a neat Icon In the Tray , while the modified version puts
an NULL icon in the Tray, which means it looks like a space between original
icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't
look suspicious.

*Original Server Exe is exactly 327.680 bytes.
*Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)


* Back Orifice (recognized by AVP)

->The Father of all GUI Trojans usually the key is:
1)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> Standard Value .exe *There is a space before the .exe
2)When used With SilkRope the key is something like
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> 412124.TMP Value=412124.TMP *Wierd numbers with the ending TMP.
* Original Boserve.exe is exactly 124.928 Bytes
With BT Plugin it is something around 193.149 Bytes
Crypted Verion called Infector is 184.832 Bytes
Size may vary due to lot of plugins
* Deep Thoat 2 (recognized by AVP)

->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sytemtray Value c:\windows\systray.exe *Can be renamed.
-> Not as easy to remove because it checks if Key in registry exists, if not it adds
it again, so simply removing the Key won't work. --> 3 possibilities

1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe
(The original systemtray.exe is in C:\windows\system\systray.exe)

2)Use programms able to KILL programs in memory like CCTASK (Url Below)
And then simply delete the systray.exe in c:\windows

3)Goto http://www.dark-e.com and download the DT2 Remover



* Netbus Pro 2 + Beta + Netrex (recognized by AVP exept Netrex)

->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote
Control Program. Neitherway there are versions out which run invisible to the User
The standard key is as always. There are 2 Versions out (that I know)
1) Original NetbusPro 2 + Beta
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.

To identify if it's surely NetbusPro which is running
->HKEY_CURRENT_USER\NetBus
->HKEY_CURRENT_USER\NetBus Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary

->HKEY_CURRENT_USER\NetBus Server\Protection
->Password Value = A *

*Password is Crypted and A stands for NO password

Nbsvr.exe has exactly 612.966 Bytes

2) The Version called Netrex

->Someone Disassembled the file and recompiled it

To identify if it's surely NetRex which is running

->HKEY_CURRENT_USER\NetRex
->HKEY_CURRENT_USER\NetRex Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*

*These are all standart keys and may vary

->HKEY_CURRENT_USER\NetRex Server\Protection
->Password Value = A *

*Password is Crypted and A stands for NO password

Nrsvr.exe has exactly 326.144 Bytes

*HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called
Log.txt in the same directory as the server is installed usually C:\windows
But as always there may be versions which DO NOT write the log.

* Wincrash (old version)
->Seams not to restart, thus should be rare

*Original Server Exe size is exactly 182.227 Bytes
*Suplement to the server exe but not needed are:
Win32cfg.exe exactly 4.128 Bytes
cfg95.exe has exactly 79.242 Bytes

* Millenium (recognized by AVP)

->That's a little bastard.
When installing a little message box pops up saying <
The System is being updated>.
It copies itself in the c:\windows\system directory with the name reg666.exe
AND to C:\WINDOWS\SYSTEM\regersys.ocx.
The keys Are:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Millenium Value=reg666.exe
*AND in win.ini adds run=C:\windows\system\reg666.exe

Removing is a little bit difficult because this trojan has some neat self-check
routine, if you remove the Key in the registry it adds it again, if you remove
the win.ini key it adds the key again, this tricky thing has also a backup
in regersys.ocx which it renames again to reg666.exe.
You see it's quite difficult if you don't know dos. -> 2 possibilities

1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe
AND regersys.ocx (The names are always the same)

2)Use programms able to KILL programs in memory like CCTASK (Url Below)
And then simply delete thereg666.exe from c:\windows\system don't forget to
to delete the c:\windows\system\regersys.ocx

* The exact size of reg666.exe is 48.128 Bytes

*Gate Crasher

->This one is different from 2 point of view's
1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC
YES this ones can infect using a Word Macro.
The Word Macro Contains the Words >>This file once opened checks to see.
if you have the latest version of winsck.ocx and you have so no updates
are available
<< ->Nice Spelling

2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)
If it's active it opens it's ports. So it isn't detecable up-on start
Actually it's fake Port watcher.

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer Value=EXPLORE.exe



*Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat
Port.dat size is exactly 94.208 Bytes
Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)
Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)
|
->Shows the name FullBrock (author's name ?)

*Socket de Troie (recognized by AVP)
-> In One Word "USE AVP"


*Net Monitor (old version)

->Rare Chinese Trojan (The readme is a must see :)
Trojan doesn't restart. Only runs once

Spy Server exe has exaclty 30.720 Bytes

* Devil 1.x
->French Trojan
Trojan doesn't restart. Only runs if program is excecuted

Comes with a lot of fake apps but none of them runs the original
program.

Icqflood.exe has exaclty 24.576 Bytes
Opscript.exe has exactly 61.952 Bytes
Socket.exe has exactly 355.840 Bytes
winamp34.exe has exactly 690.688 Bytes
Wingenocide.exe has exactly 67.584 Bytes
Winrar.exe has exactly 687.616 Bytes

* GirlFriend (recognized by AVP)

->Russian Trojan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windll Value c:\windows\windll.exe *Could be renamed.

1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the windll.exe in c:\windows

*Hint* This Trojan is specialist in stealing Passes. Victim should
rename ALL passwords.

windll.exe has exactly 309.248 Bytes
windll.exe has exactly 189.196 Bytes (there are 2)

* Netbus 1.6 + 1.7 (recognized by AVP)

->The Trojan for the Kiddies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Patch Value c:\windows\patch.exe *Could be renamed.

1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the patch.exe in c:\windows

*Hint*
Netbus 1.7 saves the IP of attacker in c:\windows\access.txt !
but only if he has restricted access to server with this IP.

->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini
Consists of the following : [Settings]
Port1=12345 *Obvious
ServerPwd=asl *Uncrypted
LogTraffic=1
MailTo=cocksucker@cf.com *Attacker e-mail
MailFrom=my@myself.com *yours
MailHost=127.0.0.1 *Smpt-Server

*Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real E-mail adress because I entered just the opposite)

The Patch.exe of netbus 1.6 has exactly 472.576 Bytes
The Patch.exe of netbus 1.7 has exactly 314.636 Bytes
The Whakamol.exe Fake game has exactly 314.636 Bytes


* Rare Version of NBP2

-> see netbus Pro 2

* Attack Ftp

->French Trojan (and therefore needs a few french Dll's)
What it Does ?
- Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe
- Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll
- Copies Install.exe in the System directory and renames the file in Wscan.exe
- Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.
- Writes to registry to launch Wscan.exe at next reboot
- Searches CD-rom drives
- Creates Serv-u.ini in the System directory
- Scans HD for TREE.DAT (password of Cute-FTP)
- Copies result to c:\windows\Result.dll
- Launches Drwatsom.exe
- Fakes a Error-Message

Remove:
Quoted from the authors Readme :

- Kill Drwatsom (Ctrl-Alt-Del)
- Execute the command : "Wscan.exe Louis_Cypher"
- Delete the Key
"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run" Value wscan.exe
- Delete Wscan.exe from c:\windows\system

Size of the setup.exe is exactly 230.912 Bytes

* Streaming Audio Trojan
-> Sets Up a streaming Audio Server
Needs a lot of dll's and needs a registration before functionating achieved by
a Reg file which Registrates the serials. I think it's impossible
to setup it up with no physical access to the victim computer. (therefore rare)

* Hackcity Ripper Trojan

-> Only Ripps Passwords
Removes itself on next reboot.

*Hint* The Victim should change his Dial-Up Password immediatly.

* FTP
-> Detects Ftp
Nothing anormal if a person has a ftp, but some trojans are able to open an Ftp.
If you don't want the script to scan this Deactivate it.

*Note* If You selected >>Enable ALL<< then FTP and Wingate are deactivated.

*Telecommando (recognized by AVP)
-> Basic Trojan
Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Systemapp Value ODBC.exe

1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe

2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the odbc.exe in c:\windows\system


*Icq Trojen (recognized by AVP)

-> Dos Based Trojan (not very usefull)
Quoted from the readme
>>Icqtrogen.exe is made to be placed in your icq folder and move the real icq
to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it
<<

Removing is quite easy.
-> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE

*Original Server EXE is exactly 39.424 Bytes.

->**Modified Version**
Doesn't need original ICQ.
Restarts not automatically.

*Modified Server Exe is exactly 27.779 Bytes
*Installer attached WITH BO is 188.438 Bytes

*Prority BETA

->New release, trojan needs Runtime-files (VB),
while pressing CTRL-ALT-DELETE the name pserver shows up.
The Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pserver Value pserver.exe (everytime)

*Original Server Exe is excactly 98.304 Bytes
*Deep BO

->Wide spread version of BO. Runs on specific port
removing see BO.


*Gjamer
->NO information avaible at this time. I need some info. (Mail me)

*Voodoo
->Needs all the lame Visual Basic Dll's
*Original Server Exe is excactly 36.864 Bytes.

*Ncw
The Key in the registry are :
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSSystemSet"="msset32.exe"


*Shadow Phyre
Copies to
c:\windows\system\inet.exe 200K
c:\windows\system\WinZipp.exe 200K

The Keys in the registry are :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /noms
g"

*Tiny Telnet Server
Copies to :
c:\windows\windll.exe 127488 Bytes

The Key in the registry is :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windll.exe"="C:\\WINDOWS\\Windll.exe"


*Kuang
Copies to :
c:\windows\_webcache_.exe
C:\WINDOWS\SYSTEM\Temp$1.exe

The Keys in the registry are :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebAccelerator"="_webcache_.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe"


*Netsphere
Copies to :
C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"

*FakeVirii
Copies to :
C:\WINDOWS\system\nssx.exe 36864 Bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe"

*Satans Back Door

Copies to :
C:\windows\sysprot.exe 77 824bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "sysprot "protection"="C:\\windows\\sysprot.exe"

*Indoctrination

Copies to :
C:\windows\sysprot.exe
29 184bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Msgsrv16"="Msgsrv16"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Msgsrv16"="Msgsrv16"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsrv16"="Msgsrv16"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsrv16"="Msgsrv16"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Msgsrv16"="Msgsrv16"

*JammerKillah12

Copies to :
C:\windows\
MsWin32.drv 92 697bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MsWindrv"="MsWin32.drv"

*AolTrojan
Copies to :
C:\windows\DAT92003.exe 32 768bytes or
C:\windows\
DAT92003.exe 69 632bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"dat92003"="C:\\WINDOWS\\SYSTEM\\DAT92003.exe"

*Hack'a'tack

Copies to :
C:\windows\Expl32.exe 241 397bytes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\Expl32.exe"

*The Unexplained

Copies to :
C:\windows\INETB00ST.EXE 28.000bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] 
"InetB00st"="C:\\WINDOWS\\TEMP\\INETB00ST.EXE"

*Bla

Copies to :
C:\WINDOWS\$Temp\TROJAN.EXE"
c:\windows\system\Rundll.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] 
"system"="C:\\WINDOWS\\$TEMP\TROJAN.EXE"
"systemdoor"="c:\\windows\\system\\Rundll argp1"

*Progenic Trojan Beta Series

Copies to :
c:\windows\scandiskvr.exe
 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  "Scandisk"="c:\\windows\\scandiskvr.exe" 

* Hack'a'ttack1.12

Copies to :
C:\WINDOWS\Expl32.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\Expl32.exe" 

* Bla1.1

Copies to :
C:\WINDOWS\SYSTEM\mprdll.exe

[[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"system"="C:\\WINDOWS\\SYSTEM\\mprdll.exe"

 

* VL RAT. 5.3.0

Copies to :
C:\WINDOWS\SYSTEM\ .exe 
C:\WINDOWS\system\MSGSVR16.EXE

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Default"=" " 
"Explorer"=" "
'Note This runs " .exe" just like BO.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer"="C:\\WINDOWS\\system\\MSGSVR16.EXE"

* BackConstruction 1.2

Copies to :
C:\WINDOWS\Cmctl32.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"

* Kuang (Psender)

- Kuang2Full:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps_full.task"="C:\\WINDOWS\\SYSTEM\\K2ps_full.exe"
-
Kuang2:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps"="C:\\WINDOWS\\SYSTEM\\K2psl.exe"


* Frenzy 1.01

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explore"="C:\\Program files\\msgsrv36.exe"


* Kuang2 The Virus

Since Kuang2 The Virus acts like a Virus attaching himself to every PE EXE on the HD. NO usual Removal Method. I suppose you download Kuang2 The Virus with built-in disinfector


* Xtcp PORT 5550


Copies to : c:\windows\winmsg32.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] 
"Msgsv32"="C:\\WINDOWS\\SYSTEM\\winmsg32.exe" 

Uses port 5550.

* Netsphere Final (131337)


Copies to : c:\windows\system\epp32.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]      
"ExecPowerProfile"="C:\\WINDOWS\\system\\epp32.exe"  
Uses port 30133


* Schwindler 1.82


Copies to : c:\windows\user.exe NOT c:\windows\system\user.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"User.exe"="C:\\WINDOWS\\User.exe"
Uses port 21554

 

* SubSeven 1.9


Copies to :  c:\windows\system\mtmtask.dl
-  Default:
System.ini
Shell=explorer.exe mtmtask.dl
Uses port 1243

 

* BackConstruction 2.1


Copies to :  c:\windows\Cmctl32.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"
Uses port 1234

 

* Vampire

Copies to : c:\windows\system\Sockets.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Sockets"="c:\windows\system\Sockets.exe"
Uses port 6669

 

* Trojan Spirit 2001 a

Copies to: c:\WINDOWS\netip.exe
Win.ini : [windows]run= c:\windows\netip.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\netip.exe"

Uses port 30911

* Maverick's Matrix

Copies to: C:\WINDOWS\Wincfg.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wincfg.exe"="C:\WINDOWS\Wincfg.exe"
Uses port 1269


* Total Eclypse

Copies to: C:\Windows\System\Rmaapp.exe 'Note NOT Rnaapp.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rnaapp"="C:\\Windows\\System\\Rmaapp.exe"
Uses port 3791 (for FTP)


* Kuang2 logger AS

Copies to: C:\WINDOWS\SYSTEM\K2logas.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2logas.task"="C:\\WINDOWS\\SYSTEM\\K2logas.exe"

 

* Vampire 1.2

Copies to: c:\windows\system\Winboot.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsBootFile"="c:\\windows\\system\\Winboot.exe"


* BoBo 1.0

Copies to: C:\WINDOWS\SYSTEM\Dllclient.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DirectLibrarySupport"="C:\\WINDOWS\\SYSTEM\\Dllclient.exe"

 

* Deep Throat 3.1

Copies to: c:\windows\systray.exe 'NOT c:\windows\system\systray .exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Systemtray"="c:\\windows\\systray.exe"

 

* Trojan Spirit 1.2

Copies to: c:\WINDOWS\FileName.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\filename.exe

* Eclipse 2000

Copies to: C:\\WINDOWS\\SYSTEM\\Filename.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"
Keynames seem to be selected randomly.

* Incommand

Copies to: Path_Where_Run\Filename.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe"

.

* BrainSpy

Copies to: C:\WINDOWS\SYSTEM\BRAINSPY .EXE

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Gbubuzhnw"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Dualji"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE"
'Note Keynames are randomized.

* IRC3

Win.ini :
load = closew

Closew.bat contains the foloowing commands:
@prompt @START C:\WINDOWS\RUNDLLS.EXE /h

Rundlls.exe is ServU.exe and the /h option runs it hidden.

* PC Xplorer

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"

* Online Keylogger

Copies to the drive set as Temp.

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WinSet"="E:\\system.sys"

* Transscout 1.1 +1.2

Copies to c:\windows\kernel16.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "kernel16"="C:\\WINDOWS\\kernel16.exe"

* Ambush

Copies to c:\windows\Zcn32.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZKA"="Zcn32.exe"

* DerSpaeher3

Copies to C:\WINDOWS\System\dkbdll.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explore"="C:\WINDOWS\System\\dkbdll.exe Hi"

* The Prayer 1.2 + 1.3

Copies to C:\WINDOWS\SYSTEM\dlls32.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SystemFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SysFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe"

* NetRaider

Copies to C:\WINDOWS\Rsrcnrs.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rsrcnrs"="C:\\WINDOWS\\Rsrcnrs.exe"

* Subseven 2.x

Copies to C:\WINDOWS\MSREXE.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Winloader"="MSREXE.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "WinLoader"="MSREXE.exe"

Win.ini
[windows] load=MSREXE.exe

System.ini
shell=Explorer.exe MSREXE.exe

Unknown Start Method Removal:
Download this file and double click it : Here

'Note to Wajii "It was mine :)"

* YAT aka Yet Another Trojan

Start-UP:

Firstly HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige
is registered.

Then winstart.bat is created if it doesn't exist yet, this file is normally used by installation generators to manipulate/delete/exchange/register DLL or other files.

Content of
winstart.bat
:



This might seem wired, but this simply means Windows will check for
.bat .exe .com to be executed if they exist, Dos/Windows uses the directory set in the PATH variable in autoexec.bat to search for the executables.

Then autoexec.bat is changed and
is appended at the end.

Then system.ini is changed and
shell=explorer.exe is
changed to
shell=explorer.exe Path_were_ran/NCHARGE.exe /NOMSG

Then wini.ini is changed and
run = is changed to
run =
"very large space here" Path_were_ran/NCHARGE.exe /NOMSG

Then .bat is created (note the nice character, which can be greated using the ALT-Number combination).


Content of
.bat :

@echo off if exist
F:\Directory_where_ran\NCHARGE.exe goto end
'If backdoor file exists goto end.


if exist C:\WINDOWS\command\msdos.sys copy C:\WINDOWS\command\msdos.sys
F:\Directory_where_ran\NCHARGE.exe > nul
'If backdoor backup does exist copy the backup to the backdoor location. The > NUL means that all comments dos usually displays when copying/deleting etc re NOT displayed, thus it will run hidden.


if exist
F:\Directory_where_ran\NCHARGE.exe goto end

if exist C:\WINDOWS\system\windows.dat copy C:\WINDOWS\system\windows.dat
F:\Directory_wherer_ran\NCHARGE.exe > nul

if exist
F:\Directory_wherer_ran\NCHARGE.exe goto end if exist C:\WINDOWS\command\drvspace.bat copy C:\WINDOWS\command\drvspace.bat F:\Directory_wherer_ran\NCHARGE.exe > nul

:end C:\WINDOWS\regedit.exe C:\WINDOWS\reg.dat > nul
'Registers the autostart key again silently. To achieve this the option /s could also have been used.

Content of reg.dat :

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Batterieanzeige"="
F:\Directory_where_ran\NCHARGE.exe /nomsg "
'Using the RunServiceOnce key makes it more stealthy against Anti-Trojan programs which usually do NOT check this key, because it gets deleted automatically.

Note that all the filenames and filepathes are fully configurable, so this is only the default installtion of YAT.

Removal:

Delete
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige and.bat , and change the system.ini back.

* Incommand 1.3

Copies to C:\WINDOWS\Msie50h.exe

Win.ini
run=Msie50h.exe

Version Info of the File : 1.3.0.32824
Product Name : Microsoft Internet Explorer Advanced Settings Module

* Barock 1.0

Copies to C:\WINDOWS\SYSTEM\WCheckUp.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WCheckUp"="C:\WINDOWS\SYSTEM\WCheckUp.exe"

* Net Controller 1.08

Copies to C:\WINDOWS\system.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "System"="C:\\WINDOWS\\System.exe"

The Server has to be started from the C drive, else it will fail to install itself succesfully.

* Intruse Pack 1.27b

Copies to C:\WINDOWS\SYSTEM\nameoftheserver.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wind"="C:\\WINDOWS\\SYSTEM\\Nameoftheserver.EXE"

* Prosiak 0.70 Beta 5

Copies to C:\WINDOWS\SYSTEM\prosiak_trojan.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Trojan horse"="prosiak_trojan.exe"

'Note : This is the Default Key and very likely to be changed

* Asylium Family (0.1 & 0.11 & 0.12 & 0.13)

Copies to C:\WINDOWS\SYSTEM\wincmp32.exe

[System.ini]
shell=explorer.exe wincmp32.exe

This is the default starting method, note that these are fully customisable including the filename and registry keynames.

1.5 Usefull Url's

AVP definetly the BEST allround scanner is avaible at
http://www.avp.com

Atguard Firewall to prevent inbound connection to servers and other security related issues. http://www.atguard.com

Trojan Defence Suite. Complete Anti-Trojan Suite.
http://www.multimania.com/ilikeit/tds2.htm




This FAQ is Copyrighted TLSecurity (Int_13h)
Contact me by e-mail at Int_13h

You want to contribute something, a port number, a removal Key or just Spot an Error ? Make sure to mail me

<FYN>

TL S e c u r i t y
http://www.TLSecurity.net