Name: BackConstruction 2.1

 

Main: Server.exe Size: 177,664 bytes

 

Keys:  values added: 2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\OnpxPbafgehpgvba2.1\Freire.rkr"

                        Type: REG_BINARY

                        Data: 5D, 00, 00, 00, 06, 00, 00, 00, A0, 44, DB, FA, CF, BC, C0, 01

            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"

                        Type: REG_SZ

                        Data: C:\WINDOWS\Cmctl32.exe

 

Version: 2.1

 

Type: remote access file server

 

Port/s used: 5400, 5401 and 21 tcp

 

Files:   c:\WINDOWS\Cmctl32.exe Size: Size: 177,664 bytes

 

Modifies: deletes c:\unzipped\BackConstruction2.1\Server.exe Size: Size: 177,664 bytes

 

Aliases: none    

 

Behaviour: Once executed will delete the server then add a new file here:

c:\WINDOWS\Cmctl32.exe Size: Size: 177,664 bytes

 

Removal: click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Look for a value named "Shell", right click on it and choose delete.

Reboot, then find and delete the following file:  c:\WINDOWS\Cmctl32.exe Size: 177,664 bytes

 

Special: nothing special

 

Author: p23h

 

Notes: This trojan just opens up a file server on the infected computer allowing full read/write access