Name: Amanda 2.0

 

Main:  server.exe 88kbs

 

Keys: value added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinStart"

                        Type: REG_SZ

                        Data: C:\UNZIPPED\AMANDA2.0\SERVER.exe

Version: 2.0

 

Type: remote administration

 

Port/s used:  23032

 

Files: c:\WINDOWS\TEMP\~DF374F.TMP Size: 1,536 bytes

 

Modifies:  none             

 

Aliases:  none

 

Behaviour: Trojan runs in stealth (cannot be seen in ctrl-alt-del) but the server does not melt (disappear once executed), the server doesn’t even add a file into windows system and runs from its original position.

 

Removal:  Go to start, and then run, and type regedit, follow this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right click on run and look for the following: "WinStart”, delete this value then reboot.

 

When windows restarts then delete this file: SERVER.exe (it can be anywhere on your drive, easiest way to find it is to go to start, search, and look for server.exe the size will be around 88kbs)

 

Special: NA

 

Author: skidkid

 

Notes: for the server to actually work on the infected machine it needs to have the following two files installed Mswinsck.ocx and Msvbm60.dll