Name: BackConstruction 1.2

 

Main: server.exe 175 KB (179,200 bytes)

 

Keys: keys added: 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings

 

Values added: 3

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\OnpxPbafgehpgvba1.2\FREIRE.RKR"

                        Type: REG_BINARY

                        Data: 5D, 00, 00, 00, 06, 00, 00, 00, 00, 7D, 65, CE, 7F, BC, C0, 01

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"

                        Type: REG_SZ

                        Data: C:\WINDOWS\Cmctl32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings "P23h"

                        Type: REG_DWORD

                        Data: 17, 00, 00, 00

 

Version: 1.2

 

Type: remote access/admin

 

Port/s used: 5400 and 5401 tcp

 

Files: c:\WINDOWS\Cmctl32.exe Size: 179,200 bytes

 

Modifies: c:\unzipped\BackConstruction1.2\SERVER.EXE deleted (this is the server file, it deletes itself and adds Cmctl.32.exe)

 

Aliases: none    

 

Behaviour: once executed the server runs in stealth and cannot be seen in ctl-alt-del.

 

Removal: Click Start and go to run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Look for a value named "Shell" right click on it and choose delete.

Reboot, then find and delete the following file:  c:\WINDOWS\Cmctl32.exe Size: 179,200 bytes

 

Special: This is a very basic trojan and has no special features

 

Author: NA

 

Notes: Very basic trojan, acts as a basic file server.