Name: Backage 3.1

 

Main: Backageserver.exe 116 KB (118,784 bytes)

 

Keys: Values added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Kernel"

                        Type: REG_SZ

                        Data: C:/windows/Mskernel16.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce "Internet Kernel"

                        Type: REG_SZ

                        Data: C:/windows/Mskernel16.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Internet Kernel"

                        Type: REG_SZ

                        Data: C:/windows/Mskernel16.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Internet Kernel"

                        Type: REG_SZ

                        Data: C:/windows/Mskernel16.exe

 

Version: 3.1

 

Type: remote access/admin

 

Port/s used: 334 tcp

 

Files:    c:\WINDOWS\Mskernel16.exe Size: 118,784 bytes

 

Modifies: c:\windows\system.ini, [boot] "shell"

                        Old value: Explorer.exe

                        New value: Explorer.exe Mskernel16.exe

              c:\windows\win.ini, [windows] "run"

                        Old value:

                        New value: Mskernel16.exe

 

Aliases: none    

 

Behaviour: once executed the server runs in stealth and cannot be seen in ctrl-alt-del.

 

Removal: The easiest way to remove this trojan is as follows:

Open up regedit (go to start, run, type regedit then hit ok) when regedit has opened hit ctrl and the f key at the same time (ctrl+f) a box will appear, in that box type the word Mskernel16.exe then hit find, delete the found instance. Now hit f3 and delete and found instances of this entry.  

 

Now open up win.ini look for the heading that says [windows] under this heading look for

run=Mskernel16.exe delete the Mskernel16.exe so it reads run=

 

Now open up system.ini the same way and look for the heading that says [boot], under this heading look for shell=explorer.exe Mskernel16.exe, and delete the Mskernel16.exe part so it reads shell=explorer.exe.

 

Finally, reboot your pc and then delete the following file:

c:\WINDOWS\Mskernel16.exe

 

Special: This trojan uses multiple registry entries to make removal difficult, one good point about this trojan is that it comes with a removal program if you are infected; the removal program does a thorough job of removing it. It also features an edit server program so the server can be configured to the hackers’ specifications

 

Author: Ne-O-Sk8

 

Notes: All documentation and writing on the client GUI is in French. The trojan client looks very similar to Subseven 2.1 but in the French language, also the client is skinnable (you can give it different looks or “skins”)