COMMAND
Back Orifice, Net Bus, BoSniffer, whackamole.exe, theipspoof.zip
Acid Shiver, picture.exe, Yahoo.exe
SYSTEMS AFFECTED
Win 9x, NT
PROBLEM
In August of 1998, few backdoors for Windows platform showed up.
I will based this text on ISS Vulnerability Alert. A backdoor is
a program that is designed to hide itself inside a target host.
It allows the installing user access to the system at a later time
without using normal authorization or vulnerability exploitation.
I will contunue this advisory with new infos and trojans as they
show up.
A hacker group known as the Cult of the Dead Cow has released a
Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed,
this backdoor allows unauthorized users to execute privileged
operations on the affected machine. Back Orifice leaves evidence
of its existence and can be detected and removed. The BO program
is a backdoor designed for Windows 95/98. Once installed, it
allows anyone who knows the listening port number and BO password
to remotely control the host. Intruders access the BO server
using either a text or graphics based client. The BO server
allows intruders to execute commands, list files, start silent
services, share directories, upload and download files, manipulate
the registry, kill processes, list processes, as well as other
options. To determine if BO has been installed on your machine
check following. The BO server will do several things as it
installs itself on a target host:
* Install a copy of the BO server in the system directory
(c:\windows\system) either as " .exe" or a user specified
file name.
* Create a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
with the file name of the server file name and a description
field of either "(Default)" or a user specified description.
* The server will begin listening on UDP port 31337, or a UDP
port specified by the installer. You can configure
RealSecure to monitor for network traffic on the default
UDP 31337 port for possible warning signs.
To determine if you are vulnerable:
1. Start the regedit program (c:\windows\regedit.exe).
2. Access the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
Look for any files that may not have been intentionally
installed on the machine. If the length of one of these
files is close to 124,928 (give or take 30 bytes) then it
is probably Back Orifice.
You can also use the netstat program that comes with Windows to
check if the system is vulnerable. 'netstat -an' will list all
connected and listening ports, so you can see if there are any
open UDP ports that shouldn't be open, and take corrective
action. Here is some sample output from netstat:
C:\WINDOWS>netstat -an | find "UDP"
UDP 0.0.0.0:31337 *:*
In this example, you can see a UDP service listening on port
31337. This service is Back Orifice. It doesn't have to be on
port 31337, so if you see anything else that looks suspicious,
check your registry. More information about BO can be obtained
from the cDc web page at http://www.cultdeadcow.com. More
information about detection and removal of BO can be found at:
http://www.nwi.net/~pchelp/bo.html
There are several plugin applications for BO, called 'BUTTplugs'
by cDc, which are used to enhance the functionality of BO.
Currently there are four plugins available on the cDc page at:
http://www.cultdeadcow.com/tools/bo_plugins.html
These plugins will e-mail the attacker when someone installs their
copy of BO, or access Internet Relay Chat (IRC) to join a channel
and notify them that BO is installed. There is also a plugin used
to embed BO into any program you wish, which makes it easier to
fool a user into running it. The currently available plugins are:
Speakeasy - An IRC plugin that secretly logs into predefined
server and broadcasts the host's IP address
Silk Rope - Binds Back Orifice to almost any existing program
Saran Wrap - Hides Back Orifice in an existing standard
"InstallShield" installer program
Butt Trumpet - Sends the attacker an email with the host's IP
address, after BO is installed
There is a program called BoSniffer that is distributed on the
Internet and claims to detect and remove BO from your system.
This is actually Back Orifice, and you should not use this
program. Be wary of any fixes for BO from untrusted sources.
This fix has been distributed with the filenames bosniffer.exe
and bosniffer.zip.
theipspoof.zip is another Back Orifice trojan masquerading as a
"point & click, automagical IP spoofer". It is currently being
distributed on underground web sites and is billed as the latest
and greatest IP spoofing tool with a neato GUI (it's Back Orifice
with Butt Trumpet plugin).
There is also a program available on the Internet called NetBus,
with functionality similar to BO, and in some ways more advanced
than BO. NetBus has been available, but its widespread use as a
hacking tool has not occurred until recently. Unlike BO, NetBus
will run on Windows 95/98 and NT. NetBus, available at:
http://members.spree.com/NetBus/index.html
allows the remote user to do most of the functions BO can do, as
well as open/close the CD-ROM drive, send interactive dialogs to
chat with the compromised system,listen to the system's microphone
(if it has one), and a few other features. The web page listed
above has information about all of NetBus's capabilities. The
page also contains instructions for removing NetBus from your
system. To determine if NetBus has been installed on your machine
check following. NetBus uses TCP for communication, and always
uses ports 12345 and 12346 for listening for connections. netstat
will tell you if NetBus is installed if you issue the command
'netstat -an | find "12345"'. Then, start the windows 'telnet'
program and connect to 'localhost' at port 12345. If NetBus is
installed, a string similar to 'NetBus 1.53' or 'NetBus 1.60 x'
will be displayed when you connect. NetBus's protocol is not
encrypted and the commands have a simple format: the name of the
command, followed by a semicolon, followed by the arguments
separated by semicolons. It is possible to set a password on the
NetBus server, and the password is stored in the registry as
plaintext at HKEY_CURRENT_USER\Patch\Settings\ServerPwd. X-Force
has discovered that there is a backdoor in NetBus that will allow
anyone to connect with no password. When the client sends the
password to the server, it sends a string similar to
'Password;0;my_password'. If the client uses a 1 instead of a 0,
you will be authenticated with any password. By default, the
NetBus server is called 'Patch.exe', but it can be renamed.
NetBus 2.0 (NB2) includes enhanced functionality, including the
ability to find cached passwords, full control over all windows,
capturing video from a video input device, a scheduler to run
scripts on specified hosts at a certain time, and support for
plugins. Plugins will enable programmers at add functionality to
NB2, similar to the architecture provided in the cDc BackOrifice
backdoor. The only plugin currently available is a file-finding
utility that searches a victim's hard drive for files. By
default, NB2 listens on TCP port 20034, but this is easily
configurable. NB2 uses a weak form of encryption to obfuscate its
communications, but the format of its packets makes it easy to
spot NB2 traffic. Each packet starts with 'BN', followed by the
following sequence:
- - - - Two bytes representing the length of the packet.
- - - - Two bytes of 0x02 or 0x00, probably for the version of NetBus.
- - - - Two random bytes, probably to confuse people.
- - - - Two bytes for the command code.
For example:
42 4E XX XX 02 00 YY YY ZZ ZZ ...data...
XX XX is the length of the whole NetBus 2.0 packet
YY YY are just two random bytes
ZZ ZZ is the command code
The first 2 bytes are 'BN', the length of the packet is XX XX, and
the version is 0x02. NB2 stores registry information in the
HKEY_CURRENT_USER\NetBus Server registry key. If you have this
key in your registry, NB2 may be running on your machine. To
determine the port that NB2 uses, check the value of
HKEY_CURRENT_USER\NetBus Server\General\TCPPort, and use the
'netstat -an | find "LISTEN"' command to see if your system is
listening on that port. If NB2 is listening, you need to find the
NB2 server executable and delete it. The default name is
NbSvr.exe, but it can be easily renamed. If NetBus 2.0 is
configured to start automatically when your computer boots, the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
registry key will have a registry value called 'NetBus Server Pro'
that specifies the full path for the location of the NetBus
executable. Use the registry key value to locate and delete the
file if you find that NB2 has been installed on your machine
without permission. NetBus 2.0 traffic using the default port
can be detected by RealSecure if you configure it to monitor
traffic on TCP port 20034.
Yahoo.exe is actually the netbus 2.0 server designed to install
without the user knowing anything. The following registry entries
were embeded within the exe.
REGEDIT4
[HKEY_CLASSES_ROOT\.dl_]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Rundll32"="rundll2.dl_"
[HKEY_LOCAL_MACHINE\Software\Net Solutions]
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server]
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server\General]
"Accept"="1"
"TCPPort"="20043"
"Visibility"="3"
"AccessMode"="2"
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server\Protection]
"Password"="$\".-("
The Game "whackamole.exe" file size 314,636 credited to
ecoli_@hotmail.com, is actually a Netbus Trojan. It is contained
within Whackjob.zip available at http://netbus.hypermart.net, and
installs "patch.exe",(the Netbus Server portion) within the
install shield script for the game install. The program Netbus.exe
is renamed Explore.exe during the install. Needless to say, this
can be quite serious on a 40,000 user network. You can't run
command line programs directly from "launch program" but you can
execute ""Net Localgroup "administrators" "Me" /add" or the like
from .bat files directly uploaded to the %systemroot% or other
path from the netbus program.
L S D reported following. The source code to the Windows trojan
called 'Acid Shiver' that covered most of Efnet last year has
been released. The source code is all Visual Basic 5.0 (SP3), and
not much effort was put into organization. It had been
distributed through 'WaReZ' DCC bots, and had over 7000 users
within 2 months. It was diguised as a million different
applications, the Setup.exe file in different programs was
replaced by the trojan, which would install itself into the
registry on first use. As soon as the program is run, it
registers its process as a 'Windows Service', thus removing it
from all task lists. It waits until an active internet conection
is established (by attempting connections to an array of SMTP
servers), and then e-mails the creator with the random TCP port
number it listens on, the time, and a large amount of sensitive
information resident on the victims hard drive. The creator then
connects via telnet to the specified port and is given a prompt
that looks like a DOS shell. Any command can be executed, with
the results shot back across the tcp connection, network topology
can be shown (net * comands), files may be downloaded, the
deployer may "bounce" through the victim to another host, and
system settings/registry entries can be changed. The victim can
use a netstat to see the listening port/connections. It loads
automatically through the HKLM/M$/Windows/Current Version/Run
Services, Run, Run Once, and Run Services Once entries. If it
detects another copy running it exits. The file size for the exe
changed depending upon the exe-packer used, and any hex-editing
done by the deployer. For a .zip of the source code, e-mail
elessdee@usa.net with "Send AS Source" as subject.
The WM97/Caligula virus was released by 'Codebreakers', a virus
exchange (Vx) group. This is a Microsoft Word macro virus that
steals your Pretty Good Privacy (PGP) secret key ring and uploads
it to a Codebreakers FTP site. When executed, this virus will
open the registry and look for the HKEY_CLASSES_ROOT\PGP Encrypted
File\shell\open\command registry value. The virus uses this value
to find the path to the PGP program. Once it finds the path to
PGP, the virus locates your secret key ring, located in the
secring.skr file. The virus copies this file to a file called
secringXXXX.skr, where each X is an integer from 0 to 7, for
example, secring3150.skr. This file is uploaded to an FTP site at
208.201.88.110, or ftp.codebreakers.org, and stored in the
incoming directory. After Caligula runs, it sets the registry
value
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula
to 1 (True). You can tell if you have the Caligula virus by
looking for that key in the registry. An infection by Caligula
can be detected by RealSecure if you configure it to look for FTP
connections to 208.201.88.110.
The Picture.exe trojan horse program has been circulating around
the Internet via an e-mail attachment. If run, this executable
will send information about your Windows NT or 95/98 system to
any of several e-mail addresses in China. The file has also been
seen with the name Manager.exe. Executing or opening Picture.exe
places a file called note.exe in your Windows directory. It also
adds the line "RUN=NOTE.EXE" to the win.ini file so note.exe runs
every time Windows boots. The first time that note.exe runs, it
creates a file in your Windows directory called $2321.Dat. This
file contains an encoded listing of all of the files whose
three-letter file name extensions begin with an h, i, m, p, s, or
t. ISS X-Force believes it was the author's intent to get files
whose extensions are .idx, .mdb, .pst, .htm, .snm, .pab, and .txt,
because those extensions show up in note.exe. However, note.exe
will list any file whose extension begins with those letters.
Earlier reports indicated that note.exe looks through a user's
web cache directories to determine which web sites the user
visited, but this claim is false. Note.exe looks through all
directories trying to gather e-mail addresses. The data in the
file created by note.exe is encoded by adding 5 to each
character's ASCII code, for example:
C:\Inetpub\iissamples\ISSamples\default.htm
becomes:
H?aNsjyuzgannxxfruqjxaNXXfruqjxaijkfzqy3myr
The second time note.exe runs, it searches all files for e-mail
addresses. When it finds an address, it encodes and writes the
address to a file called $4135.Dat in your Windows directory. The
way that this data is encoded is by subracting 5 from each
character's ASCII code, for example:
xforce@iss.net
becomes:
sajm^`;dnn)i`o
After note.exe searches all of the files, it overwrites $4135.Dat
with compressed data, where every host name is only listed once.
It encodes the data by subtracting 5 from each character's ASCII
code, and ends each line with ~X or =~X, where X is an integer.
The lines that end in ~X are usernames, and the lines that end in
=~X are host names. Once decoded, the format of the data looks
like this:
root~1
xforce~1
support~2
iss.net=~1
microsoft.com=~2
Each username is matched with the corresponding host name. In this
example, the e-mail addresses are: root@iss.net, xforce@iss.net,
and support@microsoft.com. The third time note.exe runs, it
attempts to send the contents of $4135.Dat to any of several
e-mail addresses. The addresses ISS X-Force have identified are
hongfax@public.szonline.net, chinafax@263.net, chinafax1@263.net,
hongfax@public.szonline.net. The trojan tries to connect to
various SMTP servers. ISS X-Force has identified
public2.lyptt.ha.cn, public1.sta.net.cn, nenpub.szptt.net.cn,
mail.capital-online.com.cn, public2.lyptt.ha.cn, public.cc.jl.cn,
pub1.fz.fj.cn, public.szonline.net, and mail.nn.gx.cn. The data
is Base64 encoded. A header detected from an e-mail sent by
note.exe is as follows:
From: ab<abreb@hotmail.com>
To: hongfax@public.szonline.net
Subject: A manager software from ZDNet_AU
X-Mailer: Microsoft Outlook Express 4.72
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="====================545354:56:00.PM===="
If sending the e-mail succeeds, note.exe will delete $2321.Dat and
$4135.Dat. If sending fails, it will try again the next time
note.exe runs, and keep trying until it successfully sends the
e-mail.
Somewhere around second quartal of 1999, new wave of trojans
showed up.
The DeepThroat backdoor allows a remote attacker to execute
programs on your machine, open a web browser to a URL, open/close
your CD-ROM drive, start and stop an FTP server on your machine,
send you message boxes, and steal your passwords. DeepThroat
version 1 only works on Windows 95 and 98 machines, but versions
2 and 3 will run on Windows NT. DeepThroat is a backdoor that
operates on UDP port 2140. All three versions that are currently
released use the same protocol: DeepThroat sends a UDP packet
with a 2 byte command code, and the server sends back a response.
For a 'ping' packet, the UDP packet's data is "00". To test if
any version of DeepThroat is running on a machine, send a UDP
packet to port 2140 that contains the data "00". Depending on
which version of DeepThroat is running, you will get one of three
responses:
For version 1:
--Ahhhhhhhhhh My Mouth Is Open XFORCE
(In this example, XFORCE is the NetBIOS name of the machine)
For version 2:
ISS X-Force - Ahhhhh My Mouth Is Open (v2)
(In this example, 'ISS X-Force' is Windows' registered user's name)
For version 3:
ISS X-Force - Ahhhhh My Mouth Is Open (v3.0)
(In this example, 'ISS X-Force' is Windows' registered user's name)
If you see UDP ports 2140 and 3150 open when you run 'netstat -a',
then you are probably infected with one of the DeepThroat
backdoors.
NetSphere is a backdoor that performs the standard backdoor
functions, including logging keystrokes, setting up a port
redirector, capturing screenshots, and several functions to
operate with Mirabilis ICQ. NetSphere works on Windows 95, 98,
and Windows NT. NetSphere uses TCP ports 30100 and 30102. To
determine if NetSphere is running on a machine, telnet to port
30100. If you connect, NetSphere will send a banner similar to
the following:
<NetSphere|v1.30|0><Access|1><SysPath|C:\WINDOWS\system><Secure|0><SRes|1024|768
|24><Dv|a|2|removable disk><Dv|c|1|fixed disk><Dv|d|1|fixed disk><Dv|e|1|fixed d
isk><Dv|f|1|fixed disk><Dv|g|3|CD-ROM drive>
If you connect to port 30102, you will see this banner:
220 NetSphere Capture FTP
GateCrasher 1.2 has the standard backdoor features, including
starting and stopping an FTP server on your machine, rebooting
your machine, and chatting with users on the system. GateCrasher
1.2 works on Windows 95, 98, and Windows NT. A 1.1 version of
GateCrasher exists, but no longer works. When this version of the
server tried to install itself, it attempted to connect to an SMTP
server to send an e-mail to the author. Because the server didn't
work, GateCrasher 1.1 never got installed. GateCrasher listens
for connections on port 6969. To determine if a machine is
running GateCrasher, telnet to port 6969 and look for this banner:
GateCrasher v1.2, Server On-Line...
If you type 'gatecrasher;' (no quotes) and press Enter and it will
return 'Access Granted...'.
Portal of Doom (PoD) includes standard backdoor features,
including sending messages, reading files, starting your
screensaver, reassigning your mouse buttons, as well as advanced
features like stealing your dialup passwords. Portal of Doom
works on Windows 95, 98 and NT systems only if your Windows
directory is C:\Windows. If the C:\Windows\System directory does
not exist, PoD will not be able to copy itself into that directory
and will not run. Portal of Doom listens on UDP ports 10067 and
10167. If you send a UDP packet to port 10167 with 3 bytes of
data that are "pod", the server will return: [@]xforce (In this
example, xforce is the name of the currently logged in user).
While the client is connected, the server keeps sending packets
that contain "KeepAliveeeeeeeeee" every 2 seconds. The protocol
used by PoD is similar to the DeepThroat protocols; PoD represents
commands using 2-byte UDP packets.
GirlFriend has standard backdoor features, as well as the ability
to retrieve your passwords. It retrieves passwords by monitoring
the password fields in dialog boxes on your screen and saving
them. GirlFriend only works on Windows 95 and 98. GirlFriend 1.3
and 1.35 use the same protocol. They listen on TCP port 21554.
If you connect to port 21554 and send a TCP packet with 3 bytes
of data that are "ver", the response will be one of the following:
GirlFriend Server 1.35 . Port 21554
or
GirlFriend Server 1.3 . Port 21554
Hack'a'Tack is a backdoor that allows attackers to move and kill
windows on your desktop, open an FTP server on your machine, log
keystrokes, save passwords you type, shut down the machine, and
upload, download, and execute files. Hack'a'Tack only runs on
Windows 95 and 98. Hack'a'Tack uses TCP port 31785 and UDP ports
31789 and 31791. If you connect to TCP port 31785, it will
display a banner such as: hostxforce.org (In this example,
xforce.org is the hostname of the machine).
EvilFTP is a backdoor that just sets up an FTP server on your
machine. The server listens on port 23456, with a username of
'yo' and a password of 'connect'. EvilFTP will run on Windows 95,
98, and Windows NT systems. To determine if EvilFTP is running
on a machine, telnet to port 23456. EvilFTP displays this banner:
200- Welcome To EvilFTP :)
phAse Zero has all of the standard backdoor features, including
the ability to upload and download files to the computer using
FTP, execute programs, delete and move files, and read and write
to the registry. There is also a 'Trash Server' function that
will delete all files from your Windows system directory. phAse
Zero runs on Windows 95, 98, and Windows NT. By default, phAse
Zero listens on port 555. This port can be easily changed with
the server setup program. If you see port 555 or any other
suspicious ports open on your machine, use telnet or netcat to
connect to that port. If phAze Zero is running on that port, you
will see this banner:
phAse Zero server v1.0 by njord of kr0me corp
ExploreZip.worm, also called Worm.ExploreZip, is a malicious
e-mail worm that propagates by replying to any incoming e-mail
Microsoft Outlook receives. If you see a message that has the
following text in the body:
Hi <name>!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
and has an attachment named zipped_files.exe, do not run the
attachment and delete the message immediately. If you run
zipped_files.exe, the worm will begin to propagate itself and
search your hard drive, truncating all files with the extensions
.asm, .c, .cpp, .doc, .ppt, and .xls to zero bytes.
There have been many versions of the SubSeven backdoor released,
and most of them were very buggy until version 1.7 came out. The
latest version is 1.9. This backdoor has been called 'BackDoor-G'
by Network Associates, Inc., when they discovered version 1.7.
SubSeven allows remote attackers to obtain cached passwords, play
sounds, look at a webcam on your system, capture screenshots, and
notify you over IRC or ICQ when someone gets infected. SubSeven
only works on Windows 95 and 98. SubSeven is highly configurable.
You can set a password, change the filename and registry key it
uses, make it use Win.ini or System.ini, and have it notify an
ICQ number, e-mail address, or IRC channel when it is run.
You can also change the icon it uses, and change the port it
listens on. The default TCP port is 1243. SubSeven has four
options for starting the server -- in the Run or RunServices
registry keys in HKLM\Software\Microsoft\Windows\CurrentVersion,
in the Win.ini file, or by a 'less known method'. The 'less known
method' uses the System.ini file, and adds its executable name
to the 'shell=' line in the '[boot]' section of the file. By
default, it will make that line 'shell=Explorer.exe mtmtask.dl',
and copy mtmtask.dl to your Windows system directory. If you
look in System.ini and see anything other than 'Explorer.exe' in
your 'shell=' line, immediately remove anything other than
'Explorer.exe' and delete the extra file from C:\Windows\System.
If you connect to SubSeven's port, you will see a banner similar
to:
connected. time/date: 18:05.19 - June 30, 1999, Wednesday, version: 1.7
SubSeven also listens on port 6776 for the scanning function, and
this port is not configurable. SubSeven also keeps TCP port 6711.
If you see that TCP ports 6711 and 6776 open when you do a
'netstat -a', then you probably have SubSeven.
SOLUTION
BO can be removed by deleting the server and removing its registry
entry. If possible, you should back up all user data, format your
hard drive, and reinstall all operating systems and software on
the infected machine. However, if someone has installed BO on
your machine, then it is most likely part of a larger security
breach. You should act according to your site security policy.
There are two ways to remove NetBus, depending on what version you
use:
- For versions 1.5x, the instructions to remove NetBus are
located at http://members.spree.com/NetBus/remove_1.html
- For version 1.6, the removal instructions are at
http://members.spree.com/NetBus/remove_2.html. You can
remove any installation of NetBus 1.6 by telneting to the
machine at port 12345, typing 'Password;1;', pressing enter,
typing 'RemoveServer;1', and pressing enter. You will be
disconnected, NetBus will be disabled and will longer run at
startup. You will have to delete Patch.exe from you Windows
directory if you want to completely remove NetBus. This
procedure works even if there is a password set, however it
doesn't work with the 1.5x versions.
Determining the password and configuration of an installed BO:
1. Using a text editor such as notepad, view the server exe
file.
2. If the last line of the file is
'88$8(8,8084888<8@8D8H8L8P8T8X8\8'8d8h8l8', then the server
is using the default configuration. Otherwise, the
configuration will be present on the last several lines of
this file, in this order:
<filename>
<service description>
<port number>
<password>
<optional plugin information>
Using NukeNabber from http://www.dynamsol.com/puppet/ , you can
at least protect your own machine agains all these attacks. It
blocks the nuke's (after you've patched your machine) and allows
other IP ports to be monitored as well. If you have the netbus
server installed you will not get a connection to it. You will
also see if somebody is scanning the network with netbus. (or at
least scanning your machine....) And you'll see the attackers IP
address! This new version (version 2.9 I believe ..) also has
whois and finger tools to find out more about your attacker.
If you find yourself infected with the Picture.exe trojan or the
Caligula macro virus, you should run an anti-virus program to get
rid of it.
To remove DeepThroat v1.0 from your computer, use Regedit to find
the value named "SystemDLL32" in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The value's data is the path of the file. Windows 95 or 98 users
should remember the file's path and boot your machine into MS-DOS
mode. Windows NT users can kill the process with Task Manager.
Either from MS-DOS (Windows 95 or 98 users) or Windows NT, delete
the file that appears in the registry value. If you are using
Windows 95 or 98, reboot into Windows and delete the value from
the registry. For DeepThroat versions 2 and 3, the registry value
is named "Systemtray". The data is the path to the DeepThroat 2
or 3 executable file.
To remove NetSphere from your computer, telnet to port 30100 and
type '<KillServer>' (with no quotes) and press Enter. You will be
disconnected, and the server will no longer be installed on the
target machine. Another way to detect NetSphere is by looking in
the registry. If you find a value in the key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
named "NSSX" that has the data "C:\Windows\System\nssx.exe", then
you have NetSphere on your machine. From Windows 95 or 98, you
can either reboot into DOS mode, delete
C:\windows\system\nssx.exe, and reboot into Windows to remove the
value from the registry, or just use the telnet procedure
described earlier in this section to remove the server. In
Windows NT, you can kill the process with Task Manager, then
delete the file and remove the value from the registry.
If you then type 'uninstall;' and press Enter, the 'GateCrasher'
server will be uninstalled. The server is still running, but you
can kill it by typing 'end;' and pressing Enter. Another way to
detect GateCrasher is by looking in the registry. Go to the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key and look for the value named "Command" pointing to
"C:\Windows\System.exe". Windows 95 and 98 users should either
boot to DOS and remove the C:\Windows\system.exe file, then reboot
to Windows to remove the registry value, or just use the telnet
uninstall method described earlier in this section. In Windows
NT, you can kill the process with Task Manager, then delete the
file and remove the registry entry. See below for more information
on using Regedit.
If you are infected with the Portal of Doom backdoor, open the
registry to
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and look for the value named "String" with the data
"c:\windows\system\ljsgz.exe". Boot into DOS mode and delete the
c:\windows\system\ljsgz.exe file, then boot into Windows and
delete the "String" value from the registry. If you are running
Windows NT and are infected, you can kill the process with Task
Manager, and then remove the "String" registry value.
To remove GirlFriend from your machine, open regedit to
HKLM\Software\ Microsoft\Windows\CurrentVersion\Run
and look for a value named "Windll.exe" with the data
"c:\windows\windll.exe". Reboot to DOS and delete the
C:\windows\windll.exe file, then boot to Windows and remove the
"Windll.exe" registry value. See below for more information on
using Regedit.
If you see TCP port 31785 and UDP ports 31789 and 31791 open when
you run 'netstat -a', then you probably have Hack'a'Tack on your
machine. To remove it, open Regedit to the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
registry key and look for a value named "Explorer32" with the data
"C:\windows\Expl32.exe". Boot to DOS and delete the
C:\Windows\Expl32.exe file, then reboot into Windows and delete
the "Explorer32" registry value.
To remove EvilFtp backdoor on Windows 95 and 98, delete the line
"Run=C:\Windows\System\msrun.exe" from C:\Windows\Win.ini and
delete the C:\Windows\System\msrun.exe file. To remove EvilFTP
from a Windows NT system, you will have to open Regedit to the
key HKLM\Software\Microsoft\ Windows NT\CurrentVersion\Windows,
and look for a value named "Run". If the data value is
"C:\Winnt\System32\msrun.exe", delete the value, then delete the
C:\Winnt\System32\msrun.exe file.
The registry value used by phAse Zero to start at boot is also
easily configurable, but it is always in
HKLM\Software\Microsoft\Windows\ CurrentVersion\Run
The default name is "MsgServ" and the value is "msgsvr32.exe". If
you see any suspicious files in the Run key, locate the file
mentioned (either in C:\Windows or C:\Windows\System in Windows
95 and 98, or C:\Winnt or C:\Winnt\System32 on Windows NT) and
open it in Notepad. Search for the text "phAse Zero". If you
find this text in the executable, then your system is infected
with the phAse Zero backdoor and you should delete that file and
delete the registry value from the registry.
To detect and remove Explore.Zip.worm from your computer, use an
up-to-date virus scanner.
Since it is so highly configurable and difficult to detect in the
registry, the easiest method to remove SubSeven is to use an
up-to-date virus scanner. Most newer virus scanners will detect
and remove SubSeven.