Name: acidkor

 

Main: server.exe, size 70kbs

 

Keys: values added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer"

                        Type: REG_SZ

                        Data: C:\WINDOWS\MSGSVR64.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Explorer"

                        Type: REG_SZ

                        Data: C:\WINDOWS\MSGSVR64.EXE

 

Version: NA

 

Type: Remote admin/telnet

 

Port/s used: 2002

 

Files: c:\WINDOWS\MSGSVR64.EXE     Size: 73,728 bytes

           c:\WINDOWS\TEMP\~DFA54E.TMP     Size: 1,536 bytes

 

Modifies: none

 

Aliases: acid shivers

 

Removal: go to start, then run and type regedit, and then follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the key that says “explorer” and has msgsvr64.exe on the right hand side of it.

 

Now go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

And do the same as above.

Reboot, then delete c:\WINDOWS\MSGSVR64.EXE     Size: 73,728 bytes

After that you will be clean.

 

Behaviour: this trojan is very similar to acid shivers in its behaviour, although it does not use random ports

 

Special: because this is a telnet trojan, any operating system can be used to control the server

 

Author: Kor

 

Notes: This trojan was coded in visual basic using the acid shivers source code. Some of the features have been modified but basically, this trojan can be considered an acid shivers clone.