1.4 Removing Instructions AND Hints * Master of Paradise (recognized by AVP) Not the modified ->Does not restart automaticaly. *Original Server Puts a neat Icon In the Tray , while the modified version puts an NULL icon in the Tray, which means it looks like a space between original icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't look suspicious. *Original Server Exe is exactly 327.680 bytes. *Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe) * Back Orifice (recognized by AVP) ->The Father of all GUI Trojans usually the key is: 1)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> Standard Value .exe *There is a space before the .exe 2)When used With SilkRope the key is something like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 412124.TMP Value=412124.TMP *Wierd numbers with the ending TMP. * Original Boserve.exe is exactly 124.928 Bytes With BT Plugin it is something around 193.149 Bytes Crypted Verion called Infector is 184.832 Bytes Size may vary due to lot of plugins * Deep Thoat 2 (recognized by AVP) ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sytemtray Value c:\windows\systray.exe *Can be renamed. -> Not as easy to remove because it checks if Key in registry exists, if not it adds it again, so simply removing the Key won't work. --> 3 possibilities 1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe (The original systemtray.exe is in C:\windows\system\systray.exe) 2)Use programms able to KILL programs in memory like CCTASK (Url Below) And then simply delete the systray.exe in c:\windows 3)Goto http://www.dark-e.com and download the DT2 Remover * Netbus Pro 2 + Beta + Netrex (recognized by AVP exept Netrex) ->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote Control Program. Neitherway there are versions out which run invisible to the User The standard key is as always. There are 2 Versions out (that I know) 1) Original NetbusPro 2 + Beta ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed. To identify if it's surely NetbusPro which is running ->HKEY_CURRENT_USER\NetBus ->HKEY_CURRENT_USER\NetBus Server\General ->Accept Value = 1* ->AccesMode Value = 2* ->Autostart Value = 1* ->TCPPort Value = 20340* ->Visibility Value = 3* *These are all standart keys and may vary ->HKEY_CURRENT_USER\NetBus Server\Protection ->Password Value = A * *Password is Crypted and A stands for NO password Nbsvr.exe has exactly 612.966 Bytes 2) The Version called Netrex ->Someone Disassembled the file and recompiled it To identify if it's surely NetRex which is running ->HKEY_CURRENT_USER\NetRex ->HKEY_CURRENT_USER\NetRex Server\General ->Accept Value = 1* ->AccesMode Value = 2* ->Autostart Value = 1* ->TCPPort Value = 20340* ->Visibility Value = 3* *These are all standart keys and may vary ->HKEY_CURRENT_USER\NetRex Server\Protection ->Password Value = A * *Password is Crypted and A stands for NO password Nrsvr.exe has exactly 326.144 Bytes *HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called Log.txt in the same directory as the server is installed usually C:\windows But as always there may be versions which DO NOT write the log. * Wincrash (old version) ->Seems not to restart, thus should be rare *Original Server Exe size is exactly 182.227 Bytes *Suplement to the server exe but not needed are: Win32cfg.exe exactly 4.128 Bytes cfg95.exe has exactly 79.242 Bytes * Millenium (recognized by AVP) ->That's a little bastard. When installing a little message box pops up saying . It copies itself in the c:\windows\system directory with the name reg666.exe AND to C:\WINDOWS\SYSTEM\regersys.ocx. The keys Are: *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Millenium Value=reg666.exe *AND in win.ini adds run=C:\windows\system\reg666.exe Removing is a little bit difficult because this trojan has some neat self-check routine, if you remove the Key in the registry it adds it again, if you remove the win.ini key it adds the key again, this tricky thing has also a backup in regersys.ocx which it renames again to reg666.exe. You see it's quite difficult if you don't know dos. -> 2 possibilities 1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe AND regersys.ocx (The names are always the same) 2)Use programms able to KILL programs in memory like CCTASK (Url Below) And then simply delete thereg666.exe from c:\windows\system don't forget to to delete the c:\windows\system\regersys.ocx * The exact size of reg666.exe is 48.128 Bytes *Gate Crasher ->This one is different from 2 point of view's 1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC YES this ones can infect using a Word Macro. The Word Macro Contains the Words >>This file once opened checks to see. if you have the latest version of winsck.ocx and you have so no updates are available<<->Nice Spelling 2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network) If it's active it opens it's ports. So it isn't detecable up-on start Actually it's fake Port watcher. *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer Value=EXPLORE.exe *Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat Port.dat size is exactly 94.208 Bytes Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat) Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat) | ->Shows the name FullBrock (author's name ?) *Socket de Troie (recognized by AVP) -> In One Word "USE AVP" *Net Monitor (old version) ->Rare Chinese Trojan (The readme is a must see :) Trojan doesn't restart. Only runs once Spy Server exe has exaclty 30.720 Bytes * Devil 1.x ->French Trojan Trojan doesn't restart. Only runs if program is excecuted Comes with a lot of fake apps but none of them runs the original program. Icqflood.exe has exaclty 24.576 Bytes Opscript.exe has exactly 61.952 Bytes Socket.exe has exactly 355.840 Bytes winamp34.exe has exactly 690.688 Bytes Wingenocide.exe has exactly 67.584 Bytes Winrar.exe has exactly 687.616 Bytes * GirlFriend (recognized by AVP) ->Russian Trojan HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windll Value c:\windows\windll.exe *Could be renamed. 1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4) And then simply delete the windll.exe in c:\windows *Hint* This Trojan is specialist in stealing Passes. Victim should rename ALL passwords. windll.exe has exactly 309.248 Bytes windll.exe has exactly 189.196 Bytes (there are 2) * Netbus 1.6 + 1.7 (recognized by AVP) ->The Trojan for the Kiddies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Patch Value c:\windows\patch.exe *Could be renamed. 1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4) And then simply delete the patch.exe in c:\windows *Hint*Netbus 1.7 saves the IP of attacker in c:\windows\access.txt but only if he has restricted access to server with this IP. ->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini Consists of the following : [Settings] Port1=12345 *Obvious ServerPwd=asl *Uncrypted LogTraffic=1 MailTo=cocksucker@cf.com *Attacker e-mail MailFrom=my@myself.com *yours MailHost=127.0.0.1 *Smpt-Server *Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real E-mail adress because I entered just the opposite) The Patch.exe of netbus 1.6 has exactly 472.576 Bytes The Patch.exe of netbus 1.7 has exactly 314.636 Bytes The Whakamol.exe Fake game has exactly 314.636 Bytes * Rare Version of NBP2 -> see netbus Pro 2 * Attack Ftp ->French Trojan (and therefore needs a few french Dll's) What it Does ? - Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe - Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll - Copies Install.exe in the System directory and renames the file in Wscan.exe - Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot. - Writes to registry to launch Wscan.exe at next reboot - Searches CD-rom drives - Creates Serv-u.ini in the System directory - Scans HD for TREE.DAT (password of Cute-FTP) - Copies result to c:\windows\Result.dll - Launches Drwatsom.exe - Fakes a Error-Message Remove: Quoted from the authors Readme : - Kill Drwatsom (Ctrl-Alt-Del) - Execute the command : "Wscan.exe Louis_Cypher" - Delete the Key "HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run" Value wscan.exe - Delete Wscan.exe from c:\windows\system Size of the setup.exe is exactly 230.912 Bytes * Streaming Audio Trojan -> Sets Up a streaming Audio Server Needs a lot of dll's and needs a registration before functionating achieved by a Reg file which Registrates the serials. I think it's impossible to setup it up with no physical access to the victim computer. (therefore rare) * Hackcity Ripper Trojan -> Only Ripps Passwords Removes itself on next reboot. *Hint* The Victim should change his Dial-Up Password immediatly. * FTP -> Detects Ftp Nothing anormal if a person has a ftp, but some trojans are able to open an Ftp. If you don't want the script to scan this Deactivate it. *Note* If You selected >>Enable ALL< *Telecommando (recognized by AVP) -> Basic Trojan Key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systemapp Value ODBC.exe 1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4) And then simply delete the odbc.exe in c:\windows\system *Icq Trojen (recognized by AVP) -> Dos Based Trojan (not very usefull) Quoted from the readme >>Icqtrogen.exe is made to be placed in your icq folder and move the real icq to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it<< Removing is quite easy. -> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE *Original Server EXE is exactly 39.424 Bytes. ->**Modified Version** Doesn't need original ICQ. Restarts not automatically. *Modified Server Exe is exactly 27.779 Bytes *Installer attached WITH BO is 188.438 Bytes *Prority BETA ->New release, trojan needs Runtime-files (VB), while pressing CTRL-ALT-DELETE the name pserver shows up. The Key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pserver Value pserver.exe (everytime) *Original Server Exe is excactly 98.304 Bytes *Deep BO ->Wide spread version of BO. Runs on specific port removing see BO. *Gjamer ->NO information avaible at this time. I need some info. (Mail me) *Voodoo ->Needs all the lame Visual Basic Dll's *Original Server Exe is excactly 36.864 Bytes. *Ncw The Key in the registry are : [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "MSSystemSet"="msset32.exe" *Shadow Phyre Copies to c:\windows\system\inet.exe 200K c:\windows\system\WinZipp.exe 200K The Keys in the registry are : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /nomsg" *Tiny Telnet Server Copies to : c:\windows\windll.exe 127488 Bytes The Key in the registry is : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windll.exe"="C:\\WINDOWS\\Windll.exe" *Kuang Copies to : c:\windows\_webcache_.exe C:\WINDOWS\SYSTEM\Temp$1.exe The Keys in the registry are : [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WebAccelerator"="_webcache_.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe" *Netsphere Copies to : C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe" *FakeVirii Copies to : C:\WINDOWS\system\nssx.exe 36864 Bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe" *Satans Back Door Copies to : C:\windows\sysprot.exe 77 824bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "sysprot "protection"="C:\\windows\\sysprot.exe" *Indoctrination Copies to : C:\windows\sysprot.exe29 184bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Msgsrv16"="Msgsrv16" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Msgsrv16"="Msgsrv16" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Msgsrv16"="Msgsrv16" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Msgsrv16"="Msgsrv16" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Msgsrv16"="Msgsrv16" *JammerKillah12 Copies to : C:\windows\MsWin32.drv 92 697bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "MsWindrv"="MsWin32.drv" *AolTrojan Copies to : C:\windows\DAT92003.exe 32 768bytes or C:\windows\DAT92003.exe 69 632bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "dat92003"="C:\\WINDOWS\\SYSTEM\\DAT92003.exe" *Hack'a'tack Copies to : C:\windows\Expl32.exe 241 397bytes HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer32"="C:\\WINDOWS\\Expl32.exe" *The Unexplained Copies to : C:\windows\INETB00ST.EXE 28.000bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "InetB00st"="C:\\WINDOWS\\TEMP\\INETB00ST.EXE" *Bla Copies to : C:\WINDOWS\$Temp\TROJAN.EXE" c:\windows\system\Rundll.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "system"="C:\\WINDOWS\\$TEMP\TROJAN.EXE" "systemdoor"="c:\\windows\\system\\Rundll argp1" *Progenic Trojan Beta Series Copies to : c:\windows\scandiskvr.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Scandisk"="c:\\windows\\scandiskvr.exe" * Hack'a'ttack1.12 Copies to : C:\WINDOWS\Expl32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer32"="C:\\WINDOWS\\Expl32.exe" * Bla1.1 Copies to : C:\WINDOWS\SYSTEM\mprdll.exe [[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "system"="C:\\WINDOWS\\SYSTEM\\mprdll.exe" * VL RAT. 5.3.0 Copies to : C:\WINDOWS\SYSTEM\ .exe C:\WINDOWS\system\MSGSVR16.EXE [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Default"=" " "Explorer"=" " 'Note This runs " .exe" just like BO. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer"="C:\\WINDOWS\\system\\MSGSVR16.EXE" * BackConstruction 1.2 Copies to : C:\WINDOWS\Cmctl32.exe [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shell"="C:\\WINDOWS\\Cmctl32.exe" * Kuang (Psender) - Kuang2Full: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2ps_full.task"="C:\\WINDOWS\\SYSTEM\\K2ps_full.exe" -Kuang2: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2ps"="C:\\WINDOWS\\SYSTEM\\K2psl.exe" * Frenzy 1.01 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explore"="C:\\Program files\\msgsrv36.exe" * Kuang2 The Virus Since Kuang2 The Virus acts like a Virus attaching himself to every PE EXE on the HD. NO usual Removal Method. I suppose you download Kuang2 The Virus with built-in disinfector * Xtcp PORT 5550 Copies to : c:\windows\winmsg32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Msgsv32"="C:\\WINDOWS\\SYSTEM\\winmsg32.exe" Uses port 5550. * Netsphere Final (131337) Copies to : c:\windows\system\epp32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ExecPowerProfile"="C:\\WINDOWS\\system\\epp32.exe" Uses port 30133 * Schwindler 1.82 Copies to : c:\windows\user.exe NOT c:\windows\system\user.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "User.exe"="C:\\WINDOWS\\User.exe" Uses port 21554 * SubSeven 1.9 Copies to : c:\windows\system\mtmtask.dl - Default: System.ini Shell=explorer.exe mtmtask.dl Uses port 1243 * BackConstruction 2.1 Copies to : c:\windows\Cmctl32.exe [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shell"="C:\\WINDOWS\\Cmctl32.exe" Uses port 1234 * Vampire Copies to : c:\windows\system\Sockets.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Sockets"="c:\windows\system\Sockets.exe" Uses port 6669 * Trojan Spirit 2001 a Copies to: c:\WINDOWS\netip.exe Win.ini : [windows]run= c:\windows\netip.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Internet="c:\windows\netip.exe" Uses port 30911 * Maverick's Matrix Copies to: C:\WINDOWS\Wincfg.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wincfg.exe"="C:\WINDOWS\Wincfg.exe" Uses port 1269 * Total Eclypse Copies to: C:\Windows\System\Rmaapp.exe 'Note NOT Rnaapp.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rnaapp"="C:\\Windows\\System\\Rmaapp.exe" Uses port 3791 (for FTP) * Kuang2 logger AS Copies to: C:\WINDOWS\SYSTEM\K2logas.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2logas.task"="C:\\WINDOWS\\SYSTEM\\K2logas.exe" * Vampire 1.2 Copies to: c:\windows\system\Winboot.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsBootFile"="c:\\windows\\system\\Winboot.exe" * BoBo 1.0 Copies to: C:\WINDOWS\SYSTEM\Dllclient.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DirectLibrarySupport"="C:\\WINDOWS\\SYSTEM\\Dllclient.exe" * Deep Throat 3.1 Copies to: c:\windows\systray.exe 'NOT c:\windows\system\systray .exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Systemtray"="c:\\windows\\systray.exe" * Trojan Spirit 1.2 Copies to: c:\WINDOWS\FileName.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Internet="c:\windows\filename.exe * Eclipse 2000 Copies to: C:\\WINDOWS\\SYSTEM\\Filename.EXE [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE" Keynames seem to be selected randomly. * Incommand Copies to: Path_Where_Run\Filename.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe" . * BrainSpy Copies to: C:\WINDOWS\SYSTEM\BRAINSPY .EXE [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Gbubuzhnw"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE"" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Dualji"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE" 'Note Keynames are randomized. * IRC3 Win.ini : load = closew Closew.bat contains the foloowing commands: @prompt @START C:\WINDOWS\RUNDLLS.EXE /h Rundlls.exe is ServU.exe and the /h option runs it hidden. * PC Xplorer [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe" "TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe" "TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe" * Online Keylogger Copies to the drive set as Temp. [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "WinSet"="E:\\system.sys" * Transscout 1.1 +1.2 Copies to c:\windows\kernel16.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "kernel16"="C:\\WINDOWS\\kernel16.exe" * Ambush Copies to c:\windows\Zcn32.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ZKA"="Zcn32.exe" * DerSpaeher3 Copies to C:\WINDOWS\System\dkbdll.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explore"="C:\WINDOWS\System\\dkbdll.exe Hi" * The Prayer 1.2 + 1.3 Copies to C:\WINDOWS\SYSTEM\dlls32.exe [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SystemFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SysFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe" * NetRaider Copies to C:\WINDOWS\Rsrcnrs.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rsrcnrs"="C:\\WINDOWS\\Rsrcnrs.exe" * Subseven 2.x Copies to C:\WINDOWS\MSREXE.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Winloader"="MSREXE.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "WinLoader"="MSREXE.exe" Win.ini [windows] load=MSREXE.exe System.ini shell=Explorer.exe MSREXE.exe Unknown Start Method Removal: Download this file and double click it : Here 'Note to Wajii "It was mine :)" * YAT aka Yet Another Trojan Start-UP: Firstly HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige is registered. Then winstart.bat is created if it doesn't exist yet, this file is normally used by installation generators to manipulate/delete/exchange/register DLL or other files. Content of winstart.bat : ˙ This might seem wired, but this simply means Windows will check for ˙.bat ˙.exe ˙.com to be executed if they exist, Dos/Windows uses the directory set in the PATH variable in autoexec.bat to search for the executables. Then autoexec.bat is changed and ˙ is appended at the end. Then system.ini is changed and shell=explorer.exe is changed to shell=explorer.exe Path_were_ran/NCHARGE.exe /NOMSG Then wini.ini is changed and run = is changed to run = "very large space here" Path_were_ran/NCHARGE.exe /NOMSG Then ˙.bat is created (note the nice character, which can be greated using the ALT-Number combination). Content of ˙.bat : @echo off if exist F:\Directory_where_ran\NCHARGE.exe goto end 'If backdoor file exists goto end. if exist C:\WINDOWS\command\msdos.sys copy C:\WINDOWS\command\msdos.sys F:\Directory_where_ran\NCHARGE.exe >nul 'If backdoor backup does exist copy the backup to the backdoor location. The > NUL means that all comments dos usually displays when copying/deleting etc re NOT displayed, thus it will run hidden. if exist F:\Directory_where_ran\NCHARGE.exe goto end if exist C:\WINDOWS\system\windows.dat copy C:\WINDOWS\system\windows.dat F:\Directory_wherer_ran\NCHARGE.exe >nul if exist F:\Directory_wherer_ran\NCHARGE.exe goto end if exist C:\WINDOWS\command\drvspace.bat copy C:\WINDOWS\command\drvspace.bat F:\Directory_wherer_ran\NCHARGE.exe >nul :end C:\WINDOWS\regedit.exe C:\WINDOWS\reg.dat >nul 'Registers the autostart key again silently. To achieve this the option /s could also have been used. Content of reg.dat : REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Batterieanzeige"="F:\Directory_where_ran\NCHARGE.exe /nomsg " 'Using the RunServiceOnce key makes it more stealthy against Anti-Trojan programs which usually do NOT check this key, because it gets deleted automatically. Note that all the filenames and filepathes are fully configurable, so this is only the default installtion of YAT. Removal: Delete HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige and˙.bat , and change the system.ini back. * Incommand 1.3 Copies to C:\WINDOWS\Msie50h.exe Win.ini run=Msie50h.exe Version Info of the File : 1.3.0.32824 Product Name : Microsoft Internet Explorer Advanced Settings Module * Barock 1.0 Copies to C:\WINDOWS\SYSTEM\WCheckUp.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WCheckUp"="C:\WINDOWS\SYSTEM\WCheckUp.exe" * Net Controller 1.08 Copies to C:\WINDOWS\system.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "System"="C:\\WINDOWS\\System.exe" The Server has to be started from the C drive, else it will fail to install itself succesfully. * Intruse Pack 1.27b Copies to C:\WINDOWS\SYSTEM\nameoftheserver.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wind"="C:\\WINDOWS\\SYSTEM\\Nameoftheserver.EXE" * Prosiak 0.70 Beta 5 Copies to C:\WINDOWS\SYSTEM\prosiak_trojan.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Trojan horse"="prosiak_trojan.exe" 'Note : This is the Default Key and very likely to be changed * Asylium Family (0.1 & 0.11 & 0.12 & 0.13) Copies to C:\WINDOWS\SYSTEM\wincmp32.exe [System.ini] shell=explorer.exe wincmp32.exe This is the default starting method, note that these are fully customisable including the filename and registry keynames. * Traitor 2.1 Copies to C:\WINDOWS\SYSTEM\WINDLL32.exe [HKLMACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Windll32"="C:\\WINDOWS\\SYSTEM\\WINDLL32.EXE" FTP Banner: "traitor:21 server ready" * Senna Spy FTP Server Copies to C:\WINDOWS\SYSTEM\SSFTPSVR.EXE [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "SSFTPSVR"="C:\\WINDOWS\\SYSTEM\\SSFTPSVR.EXE" * Connection Copies to C:\WINDOWS\SYSTEM\WINRUN.EXE [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Winrun"="C:\\win\\system\\winrun.exe" * Y3k Copies to C:\WINDOWS\SYSTEM\RundII.EXE [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Explorer32"="C:\\WINDOWS\\RundII.exe" * Remote hack 1.1 & 1.2 Copies to C:\WINDOWS\SYSTEM\RundII.EXE [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Norton Anti Virus"="C:\\WINDOWS\\norton.exe" * BioNet Family (Versions : 0-8-4; 0.8.71; 2.2.1; 2.6.1) Copies to C:\WINDOWS\SYSTEM\libupdate.exe [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WinLibUpdate"="C:\\WINDOWS\\libupdate.exe -hide" * RUX.PSW Copies to C:\WINDOWS\SYSTEM\server.exe [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "(Standard)"="C:\\WINDOWS\\system\\SERVER.exe" * SheepGoat Copies to C:\WINDOWS\SYSTEM\SG.scr [Win.ini] run=C:\WINDOWS\SYSTEM\SG.scr * CrazyNet Copies to C:\WINDOWS\Registry32.exe [HKCUU\Software\Microsoft\Windows\CurrentVersion\Run] "Reg32"="Registry32.exe" [Win.ini] run=Registry32.exe [System.ini] shell=Explorer.exe Registry32.exe