Name: admin tool 2.0

 

Main:  server.exe

 

Keys: value added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Standard)"

                        Type: REG_SZ

                        Data: c:\windows\system\SERVER.exe

Version: 2.0

 

Type:  Password email sender/key logger  

 

Port/s used:  NA

 

Files:  c:\unzipped\ADMINTOOL2.0SERVER.exe size 0 bytes,

           c:\WINDOWS\SYSTEM\SERVER.exe   size 0 bytes

 

Modifies:  c:\WINDOWS\Cookies\index.dat

                c:\WINDOWS\History\History.IE5\index.dat

                c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat

 

Aliases:  Cached pass & dial up Ripper v2.0

 

Behaviour: this trojan modifies dat files in Internet Explorer, trying to get passwords.

 

Removal:  Open up regedit (click start, run, type regedit and hit ok)

And follow this path 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete the  "(Standard)" key and then reboot.

When windows restarts go to start then to find and do a search for server.exe and ADMINTOOL2.0SERVER.exe delete any found instances.

 

 

Special:  this trojan has the ability to icq pager the stolen passwords to the hacker, the server is configurable.

 

Author: AGM65

 

Notes: this is an excerpt from the trojans read me.txt

“Server Features:

'sends all the dial ups & cached passwords per icq pager message or email

'the ctrl+alt+del list is disabled

'checks if the connection is available, reloops all 5 mins if the user is offline

'sends also ip and hostname

'copies itself to the win/system dir

'windows registy start

'completly invisible “