Name: BackConstruction 1.5

 

Main: Server.exe Size: 179,712 bytes

 

Keys:  values added: 2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\OnpxPbafgehpgvba1.5\Freire.rkr"

                        Type: REG_BINARY

                        Data: 5D, 00, 00, 00, 06, 00, 00, 00, C0, 1F, D2, B4, A1, BC, C0, 01

            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"

                        Type: REG_SZ

                        Data: C:\WINDOWS\Cmctl32.exe

 

Version: 1.5

 

Type: remote access file server

 

Port/s used: 5400, 5401 and 21 tcp

 

Files:   c:\WINDOWS\Cmctl32.exe Size: 179,712 bytes

 

Modifies: deletes c:\unzipped\BackConstruction1.5\Server.exe Size: 179,712 bytes

 

Aliases: none    

 

Behaviour: Once executed will delete the server then add a new file here:

c:\WINDOWS\Cmctl32.exe Size: 179,712 bytes

 

Removal: click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Look for a value named "Shell" right click on it and choose delete.

Reboot, then find and delete the following file:  c:\WINDOWS\Cmctl32.exe Size: 179,712 bytes

 

Special: nothing special

 

Author: p23h

 

Notes: This trojan just opens up a file server on the infected computer allowing full read/write access