Name: B.F.Evolution 5.3.12

 

Main: setup.exe, size 382 KB (391,712 bytes)

 

Keys:  Values added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)"

                        Type: REG_SZ

                        Data:  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "(Default)"

                        Type: REG_SZ

                        Data:  

 

Version: 5.3.12

 

Type: remote access/admin

 

Port/s used: 1099tcp (configurable)

 

Files:   c:\WINDOWS\SYSTEM\ .exe, Size: 391,712 bytes

 

Modifies: NONE

 

Aliases: none    

 

Behaviour: Once executed the server looks like it has done nothing, it runs in stealth and registers itself into the registry to auto load on reboot. 

 

Removal:  Go to start and then to run and type regedit. When regedit opens you will need to follow the following path:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Once you have done that, look for the word default (note: there may be two defaults, if it says (no value set) after it, then that is the wrong one.) and delete this entry.

Now follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

And do the same.

Reboot, and then delete the following file:

c:\WINDOWS\SYSTEM\ .exe Size: 391,712 bytes

 

Special: This trojan uses the same sort of trick back orifice used by not giving the .exe file a name; this can make it harder to find for the victim. The trojan also has a whole suite of anti AOL instant messenger tools that would probably appeal to the script kiddies.

 

Author: N.A.

 

Notes: This trojan has a big server file but it has heaps of features, it is not as wide spread as some of the big name trojans but this trojan is definitely a medium threat.