Name: Acropolis 1.0
Keys: values added
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
"HRZR_EHACNGU:P:\hamvccrq\Npebcbyvf1.0\Freire.rkr"
Type:
REG_BINARY
Data:
51, 00, 00, 00, 06, 00, 00, 00, 20, E7, 41, 6D, 0C, B7, C0, 01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Winport.com"
Type:
REG_SZ
Data:
C:\WINDOWS\Winport.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "From"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Host"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Name"
Type:
REG_SZ
Data:
[Acropolis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Password"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Port"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Server"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "Target"
Type:
REG_SZ
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UDP
Ports "To"
Type:
REG_SZ
Data:
Version: 1.0
Type: Remote access/administration
Port/s used: 32791, 45673, 12904 tcp and also up to 5
random udp ports
Files:
c:\WINDOWS\Localbase.dll Size: 0 bytes,
c:\WINDOWS\Winport.com Size:
385,024 bytes
Aliases:
none
Behaviour: Server hides itself in windows c:\ and
autoloads on reboot
Removal: Remove
all registry entries from above using regedit (click start, go to run, type
regedit), reboot then delete localbase.dll and winport.com
Special: The trojan comes
with a server configuration tool similar to sub7 edit server but with less
features
Author: Subzero & Clinton
Notes: This trojan seems to be
a mixture of different trojans including girlfriend and netbus; it has a small
GUI with quite a few features, although no new features. Also has a very large
server size 717kbs.