FAQ on removing many different trojans. Updated frequently.
35f0e341307ff5f0f9e77b61902fd98c<!-- X-URL: http://www.tlsecurity.net/tlfaq.htm -->
<!-- Date: Mon, 15 May 2000 20:26:53 GMT -->
<BASE HREF="http://www.tlsecurity.net/tlfaq.htm">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html><head><META NAME="OWNER" CONTENT="int_13h@trojanslair.com"><META NAME="AUTHOR" CONTENT="Int_13h"><META HTTP-EQUIV="CHARSET" CONTENT="ISO-8859-1"><META HTTP-EQUIV="CONTENT-LANGUAGE" CONTENT="English"><META NAME="RATING" CONTENT="General"><META NAME="REVISIT-AFTER" CONTENT="30 days"><META NAME="ROBOTS" CONTENT="ALL"><title>TL Security Trojan Removal Database</title><meta name="keywords" content="Security, download, NT, windows, tool-free, free, toll, mp3, trojanz, BO, Netbus, netbus, remote, script, scripts, trojan, ports, mirc, Wincrash, Utlor, cleaner, spoof, exploit, virus, backdoor, backdoorG, backdoor-G, ports, info, hack, trojans, masterparadise, socket23, socket25, netbus, hacking, hackers, microsoft, cleaner, Information, removal, downloads, deepthroat, netcat, portsniffer,Deep Throat"><meta name="description" content="All you wanted to know about Trojans and you would never dare asking. We are Back !! One of the oldest Trojan information ressource is back on the Net."><meta name="GENERATOR" content="Dreamweaver"><body bgcolor="000000" text="#FFFFFF" link="#FFFFCC" vlink="#FFFFCC" alink="#FFFFCC"><table BORDER="0" CELLSPACING="0" CELLPADDING="0" WIDTH="100%"><tr>
<td VALIGN="top" WIDTH="140" BGCOLOR="#000000" height="18790">
<center>
<table 0 cellspacing=0 width="142" height="987" background="http://www.tlsecurity.net/menuback.gif" >
<tr>
<td width="120" height="18912">
<p> </p><p> </p><p> </p><p> </p>
<p>
</td></tr></table>
</center>
<p align="left"> </p><p align="center"> </p></td>
<td VALIGN="top" WIDTH="623" BGCOLOR="#000000" height="18790">
<div align="left"> <div align="center">
<p align="right"><font face="Verdana" size="6"><b><i><img src="http://www.tlsecurity.net/titletrojans.gif" width="544" height="68"></i></b></font></p>
<p><font face="Verdana" size="2"><i><br>
</i></font> </p>
</div>
<p>
<table width="75%" border="0" cellspacing="1" cellpadding="1" align="center">
<tr>
<td height="23" bgcolor="#666666" colspan="2">
<div align="center"><font size="2" face="Verdana"><a href="http://www.TLSecurity.net">TLSecurity</a>
-> Removal Database</font></div>
</td>
</tr>
<tr bgcolor="#333333">
<td height="107" colspan="2">
<p align="center"><font face="Verdana" size="1">This Database is
constantly updated.</font></p>
<p align="center"><font face="Verdana" size="1">To search this Document
Press CTRL+F. Enter files, keywords. If any of your files looks
suspicious enter the filename and search this document maybe you
are infected with a Trojan/Backdoor . <a href="http://www.TLSecurity.net">TLSecurity</a>
</font></p>
</td>
</tr>
<tr>
<td height="4" bgcolor="#000000" width="49%"> </td>
<td height="4" bgcolor="#666666" width="51%">
<div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="1">Last
Update : 14/05/00</font></div>
</td>
</tr>
</table>
<p>
<p><font face="Verdana" size="2"><br><br> *<font color="#FFFF66"> Updated 18-02-99</font><br><br></font></p><blockquote><font face="Verdana" size="2">->added Icq Trojen<br> ->added more info over GateCrasher <br></font></blockquote><font face="Verdana" size="2">* <font color="#FFFF66">Updated 28-02-99</font><br><br></font> <blockquote><font face="Verdana" size="2">->added Priority Trojan BETA (released 28-02-99)<br> ->added DeepBO<br> ->added Gjamer </font></blockquote><font face="Verdana" size="2">* <font color="#FFFF66">BIG update 01-03-99</font></font> <blockquote><font face="Verdana" size="2"><br> ->Wincrasher Details added<br> ->New Master of Paradise variant<br> ->Control du Socket (older version)<br> ->Added Voodoo<br> ->New Info and Modified Server of the Icq Trojen<br> ->Added Evil Ftp<br> ->Added NetSpy<br> ->Added ShockWave<br> ->Added <br></font></blockquote>
<font face="Verdana" size="2" color="#FFFF66">* update 30-04-99</font>
<blockquote><font face="Verdana" size="2">->Added NCW<br> ->Added Shadow Phyre</font></blockquote>
<font face="Verdana" size="2" color="#FFFF66">* update 05-10-99</font>
<blockquote><font face="Verdana" size="2">->Added Tiny Telnet Server</font><br> -><font face="Verdana" size="2">Added Kuang<br> ->Added Netpshere<br> ->Added FakeVirii</font></blockquote>
<p><font face="Verdana" size="2" color="#FFFF66">* update 05-11-99</font></p>
<blockquote> <p>-><font face="Verdana" size="2">Added Satans Back Door</font></p></blockquote><p><font face="Verdana" size="2" color="#FFFF33">* update 05-12-99</font></p><blockquote>
<p><font face="Verdana" size="2" color="#FFFFFF">->added Indoctrination</font></p>
</blockquote><p><font face="Verdana" size="2" color="#FFFF33">* update 05-19-99</font></p>
<blockquote><font face="Verdana" size="2" color="#FFFFFF">->added JammerKillah12<br>
</font><font face="Verdana" size="2" color="#FFFFFF">->added AolTrojan</font></blockquote>
<p><font face="Verdana" size="2" color="#FFFF33">* update 05-22-99</font></p>
<blockquote>
<p><font face="Verdana" size="2" color="#FFFFFF">->added Hack'a'tack</font></p>
</blockquote>
<p><font face="Verdana" size="2" color="#FFFF33">* update 05-23-99</font></p>
<blockquote> <p><font size="2" face="Verdana">->added The Unexplained</font></p></blockquote>
<p><font face="Verdana" size="2" color="#FFFF33">* update 05-28-99</font></p>
<blockquote> <p><font size="2" face="Verdana">->added Bla</font></p></blockquote>
<p><font face="Verdana" size="2" color="#FFFF33">* update 06-02-99</font></p>
<blockquote> <p><font size="2" face="Verdana">->added Progenic Trojan Beta1<br></font><font size="2" face="Verdana">->added Progenic Trojan Beta2</font></p></blockquote><p><font size="2" face="Verdana" color="#FFFF00">* update 06-08-99</font></p><blockquote><pre><font face="Verdana" size="2">->added Hack'a'ttack1.12
->added Bla1.1
->added HVL RAT. 5.3.0
->added BackConstruction 1.2
</font></pre> </blockquote><p><font size="2" face="Verdana" color="#FFFF00">* update 06-12</font><font size="2" face="Verdana" color="#FFFF00">-99</font></p><blockquote><pre><font face="Verdana" size="2">->added Kuang (all)</font>
-><font face="Verdana" size="2">added Frenzy 1.01
->Kuang2 The Virus
</font></pre> </blockquote><p><font size="2" face="Verdana" color="#FFFF00">* update 06-22</font><font size="2" face="Verdana" color="#FFFF00">-99</font></p><blockquote><font face="Verdana" size="2">->added Netsphere Final<br> ->added Schwindler 1.82</font></blockquote><p><font size="2" face="Verdana" color="#FFFF00">* update 06-26</font><font size="2" face="Verdana" color="#FFFF00">-99</font></p><blockquote> <p><font face="Verdana" size="2">->added Subseven 1.9<br> ->added BackConstruction 2.1</font></p></blockquote></div><div align="left"><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 08-01</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></div><blockquote> <div align="left"> <p><font face="Verdana" size="2">->added Vampire</font></p></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 08-06</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <p><font face="Verdana" size="2">->added Trojan Spirit 2001 a</font></p></div></blockquote><div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 08-08</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <p><font face="Verdana" size="2">->added Maverick'ss Matrix</font></p></div></blockquote></div><div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 11-08</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <p><font face="Verdana" size="2">->added Total Eclypse </font></p></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 13-08</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <p><font face="Verdana" size="2">->added Kuang2 loggerAS </font></p></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 30-08</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"><font face="Verdana" size="2">->added Vampire 1.2<br> ->added BoBo 1.0</font></div></div><div align="left"> <p> </p></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 07-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"><font face="Verdana" size="2">->added Deep Throat 3.1 </font></div></div><div align="left"> <p> </p></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 08-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">->added TrojanSpirit 1.2</font></p><div align="left"> <p> </p></div>
</div>
</div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 10-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"><font face="Verdana" size="2">->added Eclipse 2000</font></div></div></blockquote><div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left"> <p> </p></div>
</div>
</div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 18-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">->added Incommand 1.0</font></p><p> </p></div></div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 29-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added Schoolbus 1.6<br> -> added Logged!<br> -> added Brainspy<br> -> added Xplorer<br> -> added IRC3</font></p></div></div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 29-09</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added OnlineKeylogger </font></p></div></div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 30-10</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added Transcout 1.1 + 1.2<br> -> added Schoolbus 2.0</font></p></div></div></blockquote></div>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 13-11</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added Ambush<br> -> added DerSpaeher</font></p></div></div></blockquote></div> <div align="left"><p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 07-12</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added The Prayer 1.2 + 1.3<br></font></p></div></div></blockquote><div align="left"><p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">* update 21-12</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p></div><blockquote> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">-> added Netraider<br> -> added Subseven 2.x<br> -> added YAT</font></p></div></div></blockquote>
<div align="left">
<p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">*
update 25-12</font><font size="2" face="Verdana" color="#FFFF00">-99</font></b></font></p>
</div>
<blockquote>
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">-> added Incommand 1.3<br>
</font></p>
</div>
</div>
</blockquote>
<div align="left">
<p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">*
update 10-01</font><font size="2" face="Verdana" color="#FFFF00">-00</font></b></font></p>
</div>
<blockquote>
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">-> added Barock<br>
</font></p>
</div>
</div>
</blockquote>
<div align="left">
<p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">*
update 5-09</font><font size="2" face="Verdana" color="#FFFF00">-00</font></b></font></p>
</div>
<blockquote>
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">-> added Net Control<br>
-> added Intruse Pack 1.27b</font></p>
</div>
</div>
</blockquote>
<div align="left">
<p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">*
update 5-12</font><font size="2" face="Verdana" color="#FFFF00">-00</font></b></font></p>
</div>
<blockquote>
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">-> added Snid X2<br>
</font></p>
</div>
</div>
</blockquote>
<div align="left">
<p><font face="Verdana" size="2"><b><font size="2" face="Verdana" color="#FFFF00">*
update 5-14</font><font size="2" face="Verdana" color="#FFFF00">-00</font></b></font></p>
</div>
<blockquote>
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">-> added Prosiak 0.70 Beta<br>
-> added Freak 88</font></p>
</div>
</div>
</blockquote>
<p> </p>
<p> </p>
<p><font face="Verdana" size="2"><b><font size="3" color="#FFFF66">TOC</font></b><br>
<br>
<br>
<a href="#hints">Removal Instructions</a><br>
<a href="#url">Usefull Url's </a><br>
</font><font face="Verdana" size="2"> <br>
<br>
* <font color="#FFFF66">Socket de Troie</font></font></p>
</div>
<div align="left"><font face="Verdana" size="2"> ->Poeple infected by this, are somewhat fucked up because it also carries Script.ini (Worm)<br> The Trojan is actually a virus also, it infects all EXE's on the Harddrive making it nearly impossible to remove w/o using an AV software. </font></div><div align="left"><font face="Verdana" size="2"><br>
*<font color="#FFFF66">Netbus 1.6 + 1.7</font><br>
</font></div>
<div align="left"><font face="Verdana" size="2">->Netbus 1.6's Password
is breakable, the script will change the Pass to Letmein, so you can connect
and remove the trojan from the victim.<br>
BTW the port in NB 1.7 isn't always the same and can be changed.<br>
</font></div><div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Rare version of Netbus 2 pro</font></font> </div><div align="left"><font face="Verdana" size="2"><br> ->Netbus 2 pro is not as easy to setup as 1.6 or 1.7 was, so someone made an Installation<br> Programm setting it up autostarting AND running invisible. Runs on specific Port.<br><br></font></div><div align="left"><font face="Verdana" size="2"><br> <a name="hints"></a></font></div><blockquote> <div align="left"><font face="Verdana" size="2">1.4 Removing Instructions AND Hints<br><br><br> *<font color="#FFFF66"> Master of Paradise (recognized by AVP) Not the modified</font><br><br> ->Does not restart automaticaly.<br><br></font></div><div align="left"><font face="Verdana" size="2">*Original Server Puts a neat Icon In the Tray , while the modified version puts</font><font face="Verdana" size="2"><br> an NULL icon in the Tray, which means it looks like a space between original <br> icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't<br> look suspicious.<br><br></font><font face="Verdana" size="2">*Original Server Exe is exactly 327.680 bytes.<br> *Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)<br><br></font></div><div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Back Orifice (recognized by AVP)</font><font color="#FFFFCC"><br></font><br> ->The Father of all GUI Trojans usually the key is:<br></font></div><div align="left"><font face="Verdana" size="2">1)<i><font color="#33CCFF">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</font></i><br> -><i><font color="#33CCFF"> Standard Value .exe </font></i>*There is a space before the .exe<br></font><font face="Verdana" size="2">2)When used With SilkRope the key is something like<br><i><font color="#00CCFF">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</font></i><br> -><i><font color="#33CCFF"> 412124.TMP Value=412124.TMP</font></i> *Wierd numbers with the ending TMP.<br></font><font face="Verdana" size="2">* Original Boserve.exe is exactly <i>124.928 Bytes</i><br> With BT Plugin it is something around <i>193.149 Bytes</i><br> Crypted Verion called Infector is <i>184.832 Bytes</i><br> Size may vary due to lot of plugins<br></font></div><div align="left"><font face="Verdana" size="2"> * <font color="#FFFF66">Deep Thoat 2 (recognized by AVP)</font><br><br></font></div><div align="left"><font face="Verdana" size="2">-><i><font color="#66CCFF">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</font></i><br><font color="#66CCFF"><i>Sytemtray Value c:\windows\systray.exe</i></font> *Can be renamed.<br></font><font face="Verdana" size="2">-> Not as easy to remove because it checks if Key in registry exists, if not it adds<br> it again, so simply removing the Key won't work. --> 3 possibilities<br>
<br>
</font></div><div align="left"><font face="Verdana" size="2">1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe<br> (The original systemtray.exe is in <i><font color="#66CCFF">C:\windows\system\systray.exe</font></i>)<br></font></div>
<div align="left"><font face="Verdana" size="2"><br>
2)Use programms able to KILL programs in memory like CCTASK (Url Below)<br>
And then simply delete the systray.exe in c:\windows<br></font></div>
<div align="left"><font face="Verdana" size="2"><br>
3)Goto <a href="http://www.dark-e.com">http://www.dark-e.com</a> and
download the DT2 Remover<br>
</font><font face="Verdana" size="2"><br><br></font></div><div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Netbus Pro 2 + Beta + Netrex (recognized by AVP exept Netrex)<br></font><br></font></div><div align="left"><font face="Verdana" size="2">->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote <br> Control Program. Neitherway there are versions out which run invisible to the User<br> The standard key is as always. There are 2 Versions out (that I know) </font></div><div align="left"><font face="Verdana" size="2">1) Original NetbusPro 2 + Beta<br> -><b><i><font color="#66CCFF">H</font></i></b><i><font color="#66CCFF">KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</font></i><br> NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.<br><br> To identify if it's surely NetbusPro which is running <br> -><i><b><font color="#66CCFF">HKEY_CURRENT_USER\NetBus </font></b></i><br> -><b><i><font color="#66CCFF">HKEY_CURRENT_USER\NetBus Server\General</font></i></b><br> ->Accept Value = 1*<br> ->AccesMode Value = 2*<br> ->Autostart Value = 1*<br> ->TCPPort Value = 20340*<br> ->Visibility Value = 3* </font></div><div align="left"><font face="Verdana" size="2">*<font color="#FFFF00">These are all standart keys and may vary</font><br><br> -><i><font color="#66CCFF">HKEY_CURRENT_USER\NetBus Server\Protection</font></i><br> ->Password Value = A *<br><br> *Password is Crypted and A stands for NO password<br><br> Nbsvr.exe has exactly 612.966 Bytes<br><br> 2)<font color="#FFFF00"> The Version called Netrex</font></font><font face="Verdana" size="2"><br> ->Someone Disassembled the file and recompiled it<br><br> To identify if it's surely NetRex which is running <br><br> -><i><font color="#66CCFF">HKEY_CURRENT_USER\NetRex </font></i><br> -><i><font color="#66CCFF">HKEY_CURRENT_USER\NetRex Server\General</font></i><br> ->Accept Value = 1*<br> ->AccesMode Value = 2*<br> ->Autostart Value = 1*<br> ->TCPPort Value = 20340*<br> ->Visibility Value = 3*<br><br> *These are all standart keys and may vary<br><br> -><i><font color="#66CCFF">HKEY_CURRENT_USER\NetRex Server\Protection</font></i><br> ->Password Value = A *<br><br> *Password is Crypted and A stands for NO password<br><br> Nrsvr.exe has exactly 326.144 Bytes <br><br> *<font color="#FFFF33">HINT</font>* NetbusPro AND Netrex write both log's of ALL connections in a file called<br> Log.txt in the same directory as the server is installed usually C:\windows <br> But as always there may be versions which <b>DO NOT</b> write the log.<br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">Wincrash (<b>old version</b>)<br></font></font></div><div align="left"><font face="Verdana" size="2">->Seams not to restart, thus should be rare<br><br> *Original Server Exe size is exactly 182.227 Bytes<br> *Suplement to the server exe but not needed are:<br> Win32cfg.exe exactly 4.128 Bytes<br> cfg95.exe has exactly 79.242 Bytes<br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">Millenium (recognized by AVP)</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->That's a little bastard.<br> When installing a little message box pops up saying <<wait while your system is being updated></font><font face="Verdana" size="2"><i><b>The System is being updated</b></i>>.</font><font face="Verdana" size="2"><br> It copies itself in the <i><b><font color="#99CCFF">c:\windows\system</font></b></i> directory with the name reg666.exe<br> AND to <i><b><font color="#66CCFF">C:\WINDOWS\SYSTEM\regersys.ocx.</font></b></i><br> The keys Are:<br> *<i><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</b></i><br> Millenium Value=reg666.exe<br> *<b>AND</b> in win.ini adds <i><b><font color="#66CCFF">run=C:\windows\system\reg666.exe</font></b></i><br><br> Removing is a little bit difficult because this trojan has some neat self-check<br> routine, if you remove the Key in the registry it adds it again, if you remove <br> the win.ini key it adds the key again, this tricky thing has also a backup<br> in regersys.ocx which it renames again to reg666.exe.<br> You see it's quite difficult if you don't know dos. -> 2 possibilities<br><br> 1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe<br> AND regersys.ocx (The names are always the same)<br></font><font face="Verdana" size="2"><br> 2)Use programms able to KILL programs in memory like CCTASK (Url Below)<br> And then simply delete the<font color="#66CCFF"><i>reg666.exe</i></font> from <font color="#33CCFF"><i>c:\windows\system</i></font><i> </i>don't forget to<br> to delete the <font color="#66CCFF"><i>c:\windows\system\regersys.ocx</i></font><br><br> * The exact size of reg666.exe is 48.128 Bytes <br></font></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF66">Gate Crasher</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->This one is different from 2 point of view's <br></font><font face="Verdana" size="2">1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC<br><i>YES</i> this ones can infect using a Word Macro.<br> The Word Macro Contains the Words >><i><font color="#66CCFF">This file once opened checks to see.<br> if you have the latest version of winsck.ocx and you have so no updates <br> are available</font></i><< ->Nice Spelling<br><br> 2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)<br> If it's active it opens it's ports. So it isn't detecable up-on start<br> Actually it's fake Port watcher.<br><br> *<i><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run </b></i><br><i><b><font color="#66CCFF">Explorer Value=EXPLORE.exe</font></b></i><br><br><br><br> *Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat<br> Port.dat size is exactly 94.208 Bytes<br> Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)<br> Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)<br> |<br> ->Shows the name FullBrock (author's name ?)<br></font></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF66">Socket de Troie (recognized by AVP)</font><br></font></div><div align="left"><font face="Verdana" size="2">-> In One Word "<font color="#66CCFF"><b>USE AVP</b></font>"<br><br><br></font></div><div align="left"><font face="Verdana" size="2">*<font color="#FFFF66">Net Monitor </font>(<b>old version</b>) <br><br></font></div><div align="left"><font face="Verdana" size="2">->Rare Chinese Trojan (The readme is a must see :)<br> Trojan doesn't restart. Only runs once<br><br> Spy Server exe has exaclty 30.720 Bytes <br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">Devil 1.x</font><br></font></div><div align="left"><font face="Verdana" size="2">->French Trojan</font><font face="Verdana" size="2"><br> Trojan doesn't restart. Only runs if program is excecuted<br><br> Comes with a lot of fake apps but none of them runs the original<br> program.<br><br></font><font face="Verdana" size="2"> Icqflood.exe has exaclty 24.576 Bytes<br> Opscript.exe has exactly 61.952 Bytes<br> Socket.exe has exactly 355.840 Bytes<br> winamp34.exe has exactly 690.688 Bytes<br> Wingenocide.exe has exactly 67.584 Bytes<br> Winrar.exe has exactly 687.616 Bytes<br></font></div> <div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">GirlFriend (recognized by AVP)</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->Russian Trojan<br><font color="#66CCFF">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</font><br> Windll Value <i><font color="#66CCFF">c:\windows\windll.exe</font></i> *Could be renamed.<br><br> 1)Restart or quit and enter DOS and simply delete the File <font color="#33CCFF"><i>c:\windows\windll.exe</i></font><br><br> 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)<br> And then simply delete the windll.exe in c:\windows<br><br> *Hint* This Trojan is specialist in stealing Passes. Victim should<br> rename ALL passwords.<br><br> windll.exe has exactly 309.248 Bytes<br> windll.exe has exactly 189.196 Bytes (there are 2)<br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">Netbus 1.6 + 1.7 (recognized by AVP)</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->The Trojan for the Kiddies<br><font color="#66CCFF"><i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</i></font><br><i><font color="#66CCFF">Patch Value c:\windows\patch.exe</font></i> *Could be renamed.<br><br> 1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe<br><br> 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)<br> And then simply delete the patch.exe in c:\windows<br><br> *<font color="#FFFF66">Hint</font>*</font><font face="Verdana" size="2">Netbus 1.7 saves the IP of attacker in <font color="#66CCFF"><i>c:\windows\access.txt </i></font>!<br><i>but only</i> if he has restricted access to server with this IP.</font><font face="Verdana" size="2"><br> -><i>Name of the trojan</i>.INI -> if trojan name is patch.exe, patch.ini<br> Consists of the following : [Settings]<br></font><font face="Verdana" size="2">Port1=12345 *Obvious<br> ServerPwd=asl *Uncrypted <br> LogTraffic=1 <br> MailTo=cocksucker@cf.com *Attacker e-mail<br> MailFrom=my@myself.com *yours<br> MailHost=127.0.0.1 *Smpt-Server<br></font><font face="Verdana" size="2"><br>
*Note the Mailto and the MailFrom could be interchanged (Bug or Feature
to hide real E-mail adress because I entered just the opposite)<br>
<br> The Patch.exe of netbus 1.6 has exactly 472.576 Bytes<br> The Patch.exe of netbus 1.7 has exactly 314.636 Bytes<br> The Whakamol.exe Fake game has exactly 314.636 Bytes<br><br></font></div><div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Rare Version of NBP2</font></font> </div><div align="left"><font face="Verdana" size="2"><br> -> see netbus Pro 2<br></font></div><div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Attack Ftp</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->French Trojan (and therefore needs a few french Dll's)<br> What it Does ?<br> - Copies <font color="#66CCFF">Wsgt32.dl_</font> in the System directory and renames the file in Drwatsom.exe<br> - Copies <font color="#33CCFF">Wsgt32.dl_</font> in the Windows directory and renames the file in Wver.dll<br> - Copies Install.exe in the System directory and renames the file in Wscan.exe <br> - Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.<br> - Writes to registry to launch Wscan.exe at next reboot<br> - Searches CD-rom drives<br> - Creates Serv-u.ini in the System directory <br> - Scans HD for <font color="#33CCFF">TREE.DAT</font> (password of Cute-FTP)<br> - Copies result to <font color="#33CCFF">c:\windows\Result.dll</font><br> - Launches <font color="#33CCFF">Drwatsom.exe</font><br> - Fakes a Error-Message<br><br> Remove:<br> Quoted from the authors Readme :<br><br> - Kill Drwatsom (Ctrl-Alt-Del)<br> - Execute the command : "<font color="#66CCFF">Wscan.exe Louis_Cypher</font>"<br> - Delete the Key<br><b><i><font color="#66CCFF">"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run" Value wscan.exe</font></i></b><br> - Delete <font color="#66CCFF"><i>Wscan.exe</i></font> from <font color="#33CCFF"><i>c:\windows\system</i></font><br><br> Size of the setup.exe is exactly 230.912 Bytes<br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">Streaming Audio Trojan</font><br></font></div><div align="left"><font face="Verdana" size="2">-> Sets Up a streaming Audio Server<br> Needs a lot of dll's and needs a registration before functionating achieved by<br> a Reg file which Registrates the serials. I think it's impossible <br> to setup it up with no physical access to the victim computer. (therefore rare) </font></div> <div align="left"><font face="Verdana" size="2"><br> * <font color="#FFFF66">Hackcity Ripper Trojan</font><br><br></font></div><div align="left"><font face="Verdana" size="2">-> Only Ripps Passwords<br> Removes itself on next reboot.<br><br> *Hint* The Victim should change his Dial-Up Password immediatly.<br><br></font></div><div align="left"><font face="Verdana" size="2">* <font color="#FFFF66">FTP </font><br></font></div><div align="left"><font face="Verdana" size="2">-> Detects Ftp <br> Nothing anormal if a person has a ftp, but some trojans are able to open an Ftp.<br> If you don't want the script to scan this Deactivate it.<br><br> *Note* If You selected >>Enable ALL<< then FTP and Wingate are deactivated. <br></font></div> <div align="left"><font face="Verdana" size="2"><br>
</font></div>
<div align="left"><font face="Verdana" size="2">*<font color="#FFFF66">Telecommando (recognized by AVP)</font></font><font face="Verdana" size="2"><br></font></div><div align="left"><font face="Verdana" size="2">-> Basic Trojan<br> Key is:<br><font color="#66CCFF"><i><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</b></i></font><br><font color="#66CCFF"><b><i>Systemapp Value ODBC.exe</i></b></font><br><br> 1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe<br><br> 2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)<br> And then simply delete the<font color="#66CCFF"><i> odbc.exe</i></font> in <font color="#66CCFF"><i>c:\windows\system</i></font><br><br><br></font></div><div align="left"><font face="Verdana" size="2">*<font color="#FFFF66">Icq Trojen (recognized by AVP)</font><br><br></font></div><div align="left"><font face="Verdana" size="2">-> Dos Based Trojan (not very usefull)<br> Quoted from the readme <br> >><i><font color="#66CCFF">Icqtrogen.exe is made to be placed in your icq folder and move the real icq <br> to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it</font></i><< <br><br> Removing is quite easy.<br> -> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE<br><br> *Original Server EXE is exactly 39.424 Bytes. <br><br> ->**Modified Version**<br> Doesn't need original ICQ.<br> Restarts not automatically.<br><br> *Modified Server Exe is exactly 27.779 Bytes<br> *Installer attached WITH BO is 188.438 Bytes<br><br></font></div><div align="left"><font face="Verdana" size="2">*<font color="#FFFF66">Prority BETA</font><br><br></font></div><div align="left"><font face="Verdana" size="2">->New release, trojan needs Runtime-files (VB), <br> while pressing CTRL-ALT-DELETE the name pserver shows up.<br></font><font face="Verdana" size="2">The Key is:<br><font color="#66CCFF"><b><i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br> pserver Value pserver.exe (everytime)<br></i></b></font><br> *Original Server Exe is excactly 98.304 Bytes<br></font></div><div align="left"><font face="Verdana" size="2">*<font color="#FFFF66">Deep BO</font></font></div><div align="left"><font face="Verdana" size="2"><br> ->Wide spread version of BO. Runs on specific port<br> removing see BO.</font></div><div align="left"><font face="Verdana" size="2"><br><br> *<font color="#FFFF66">Gjamer </font><br></font></div><div align="left"><font face="Verdana" size="2">->NO information avaible at this time. I need some info. (Mail me)<br></font></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF66">Voodoo</font><br></font></div><div align="left"><font face="Verdana" size="2">->Needs all the lame Visual Basic Dll's</font><font face="Verdana" size="2"> <br> *Original Server Exe is excactly 36.864 Bytes.<br></font></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF33">Ncw</font></font></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">The Key in the registry are :<br></font><font face="Verdana" size="2" color="#33CCFF">[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] <br> "MSSystemSet"="msset32.exe" </font><br><br></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">*</font><font face="Verdana" size="2" color="#FFFF33">Shadow Phyre</font></div><div align="left"><font face="Verdana" size="2">Copies to<br></font>c<font face="Verdana" size="2">:\windows\system\inet.exe 200K <br> c:\windows\system\WinZipp.exe 200K <br><br> The Keys in the registry are : <br><br><i><font color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <br> "WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg" </font></i> <br><br><i><font color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] <br> "INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /noms</font></i></font><i><font face="Verdana" size="2" color="#33CCFF">g" </font></i></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF33">Tiny Telnet Server</font></font> </div><div align="left"><font size="2" face="Verdana">Copies to :<br> c:\windows\windll.exe <i>127488 Bytes<br></i><br> The Key in the registry is : <br><i><font color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <br> "Windll.exe"="C:\\WINDOWS\\Windll.exe" </font></i><br></font></div><div align="left"><br> *<font face="Verdana" size="2" color="#FFFF33">Kuang</font> </div><div align="left"><font size="2" face="Verdana">Copies to : <br> c:\windows\<font color="#FFFFFF">_webcache_.exe</font> <i><br></i><font color="#FFFFFF">C:\WINDOWS\SYSTEM\Temp$1.exe</font><br><br> The Keys in the registry are : <br></font><font size="2" face="Verdana"><i><font color="#33CCFF">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br></font><font color="#00CCFF">"WebAccelerator"="_webcache_.exe"<br><br> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br> "Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe" </font></i> <br></font></div>
<div align="left"><br> *<font face="Verdana" size="2" color="#FFFF33">Netsphere</font> </div><div align="left"><font size="2" face="Verdana">Copies to : </font><br><font face="Verdana" size="2">C:\WINDOWS\system\nssx.exe</font> <font size="2" face="Verdana" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"</font></div><div align="left"><font face="Verdana" size="2"><br> *<font color="#FFFF33">FakeViri</font>i</font></div><div align="left"><font size="2" face="Verdana">Copies to :<br>
C:\WINDOWS\system\nssx.exe <i>36864 Bytes</i></font> <font face="Verdana" size="2" color="#00CCFF">[</font><font face="Verdana" size="2" color="#00CCFF">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
<i>"Kernel32.dll"="c:\\windows\\ccc.exe"</i></font></div>
</blockquote><div align="left"> <p><font face="Verdana" size="2">*</font><font face="Verdana" size="2" color="#FFFF33">Satans Back Door</font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :<br> C:\windows\sysprot.exe <i>77 824bytes</i></font></div><div align="left"><font face="Verdana" size="2" color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "sysprot <i>"protection"="C:\\windows\\sysprot.exe"</i></font></div></blockquote><div align="left"> <p><font face="Verdana" size="2">*<font color="#FFFF00">Indoctrination</font></font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :<br> C:\windows\sysprot.exe</font><font face="Verdana" size="2">29 184bytes</font></div><div align="left"><font face="Verdana" size="1" color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] <br> "Msgsrv16"="Msgsrv16"</font></div><div align="left"><font face="Verdana" size="1" color="#33CCFF">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] <br> "Msgsrv16"="Msgsrv16" </font></div><div align="left"><font face="Verdana" size="1" color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br> "Msgsrv16"="Msgsrv16"</font></div><div align="left"><font face="Verdana" size="1" color="#33CCFF">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br> "Msgsrv16"="Msgsrv16"</font></div><div align="left"><font face="Verdana" size="1" color="#33CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]<br> "Msgsrv16"="Msgsrv16" </font></div></blockquote><div align="left"> <p><font face="Verdana" size="2">*<font color="#FFFF00">JammerKillah12</font></font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :<br> C:\windows\</font><font face="Verdana" size="2" color="#FFFFFF">MsWin32.drv</font><font face="Verdana" size="1" color="#00CCFF"> </font><font face="Verdana" size="2">92 697bytes</font></div><div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]<br></font><font face="Verdana" size="1" color="#00CCFF">"MsWindrv"="MsWin32.drv" </font></div>
</blockquote>
<div align="left"><br><font face="Verdana" size="2">*<font color="#FFFF00">AolTrojan</font></font></div><blockquote> <div align="left"><pre><font size="2" face="Verdana">Copies to :</font></pre> </div><div align="left"><font size="2" face="Verdana">C:\windows\</font><font face="Verdana" size="2" color="#FFFFFF">DAT92003.exe</font><font face="Verdana" size="1" color="#00CCFF"> </font><font face="Verdana" size="2">32 768bytes or <br> C:\windows\</font><font face="Verdana" size="2" color="#FFFFFF">DAT92003.exe 69 632bytes </font></div><div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br> "dat92003"="C:\\WINDOWS\\SYSTEM\\DAT92003.exe"</font></div></blockquote><div align="left"> <p><font face="Verdana" size="2">*<font color="#FFFF00">Hack'a'tack</font></font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :</font></div><div align="left"><font size="2" color="#FFFFFF" face="Verdana">C:\windows\Expl32.exe 241 397bytes</font></div><div align="left"><font size="1" color="#33CCFF" face="Verdana">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <br> "Explorer32"="C:\\WINDOWS\\Expl32.exe"</font></div></blockquote><div align="left"> <p><font face="Verdana" size="2">*<font color="#FFFF00">The Unexplained</font></font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :</font></div><div align="left"><font size="2" color="#FFFFFF" face="Verdana">C:\windows\INETB00ST.EXE 28.000bytes</font></div><div align="left"><pre><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"InetB00st"="C:\\WINDOWS\\TEMP\\INETB00ST.EXE"</font></pre> </div></blockquote><div align="left">
<p><font face="Verdana" size="2">*<font color="#FFFF00">Bla</font></font></p></div><blockquote> <div align="left"><font size="2" face="Verdana">Copies to :</font></div><div align="left"><pre><font size="2" color="#FFFFFF" face="Verdana">C:\WINDOWS\$Temp\TROJAN.EXE"
</font><font size="2" color="#FFFFFF" face="Verdana">c:\windows\system\Rundll.exe</font></pre> </div></blockquote>
<blockquote> <div align="left"><pre><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"system"="C:\\WINDOWS\\$TEMP\TROJAN.EXE"
"systemdoor"="c:\\windows\\system\\Rundll argp1"</font>
</pre> </div></blockquote><div align="left">
<p><font face="Verdana" size="2">*<font color="#FFFF00">Progenic Trojan Beta Series</font></font></p></div><blockquote> <div align="left"><font face="Verdana" size="2" color="#FFFFFF">Copies to : </font></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">c:\windows\scandiskvr.exe</font></div><div align="left"><pre><font face="Verdana" size="2" color="#FFFF00"> </font><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Scandisk"="c:\\windows\\scandiskvr.exe" </font></pre> </div></blockquote><div align="left">
<p><font face="Verdana" size="2" color="#FFFFFF">* </font><font face="Verdana" size="2" color="#FFFF00">Hack'a'ttack1.12
</font></p>
</div><blockquote> <div align="left"><font face="Verdana" size="2" color="#FFFFFF">Copies to :</font></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">C:\WINDOWS\Expl32.exe</font></div><div align="left">
<pre><font face="Verdana" size="1" color="#00CCFF">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\Expl32.exe" </font></pre>
</div></blockquote><div align="left">
<p><font face="Verdana" size="2" color="#FFFFFF">* </font><font face="Verdana" size="2"><font face="Verdana" size="2" color="#FFFF00">Bla1.1
</font></font></p>
</div><blockquote> <div align="left"><font face="Verdana" size="2" color="#FFFFFF">Copies to :</font></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">C:\WINDOWS\SYSTEM\mprdll.exe</font></div><div align="left">
<pre><font face="Verdana" size="1" color="#00CCFF">
[[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"system"="C:\\WINDOWS\\SYSTEM\\mprdll.exe"</font></pre>
</div></blockquote><div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">VL RAT. 5.3.0</font></font></p></div><blockquote> <div align="left">C<font face="Verdana" size="2" color="#FFFFFF">opies to :</font></div><div align="left"><pre><font face="Verdana" size="2" color="#FFFFFF">C:\WINDOWS\SYSTEM\ .exe
C:\WINDOWS\system\MSGSVR16.EXE</font></pre> </div><div align="left">
<pre><font face="Verdana" size="1" color="#00CCFF">
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Default"=" "
"Explorer"=" "
<font color="#66FF00">'Note This runs " .exe" just like BO.
<font color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer"="C:\\WINDOWS\\system\\MSGSVR16.EXE"</font></font></font></pre>
</div></blockquote><div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">BackConstruction 1.2</font></font></p></div><blockquote> <div align="left">C<font face="Verdana" size="2" color="#FFFFFF">opies to :</font></div><div align="left"><font face="Verdana" size="2" color="#FFFFFF">C:\WINDOWS\Cmctl32.exe</font></div><div align="left">
<pre><font face="Verdana" size="1" color="#00CCFF">
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"
</font></pre>
</div></blockquote><div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Kuang (Psender)</font></font></p></div><blockquote> <div align="left">- <font face="Verdana" size="1">Kuang2Full:<br><font color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br> "K2ps_full.task"="C:\\WINDOWS\\SYSTEM\\K2ps_full.exe"<br>
<font color="#FFFFFF">-</font></font>Kuang2:<br>
<font color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br>
"K2ps"="C:\\WINDOWS\\SYSTEM\\K2psl.exe"</font></font></div>
</blockquote>
<div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Frenzy 1.01</font></font></p></div><blockquote>
<div align="left"><font color="#00CCFF" size="1" face="Verdana">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br>
"Explore"="C:\\Program files\\msgsrv36.exe"</font></div>
</blockquote>
<div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Kuang2 The Virus</font></font></p></div><blockquote> <div align="left"><font face="Verdana" size="2">Since Kuang2 The Virus acts like a Virus attaching himself to every PE EXE on the HD. NO usual Removal Method. I suppose you download <a href="http://www.multimania.com/ilikeit/kuang2v.htm">Kuang2 The Virus</a> with built-in disinfector </font></div></blockquote><div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Xtcp PORT 5550</font></font></p></div><blockquote> <div align="left">
<pre><font size="1" face="Verdana" color="#00CCFF">
<font size="2" color="#FFFFFF">Copies to : c:\windows\winmsg32.exe
</font>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsv32"="C:\\WINDOWS\\SYSTEM\\winmsg32.exe"
</font><font face="Verdana" size="2" color="#FFFFFF">
Uses port 5550.</font></pre>
</div></blockquote><div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Netsphere Final (131337)</font></font></p></div><blockquote> <div align="left">
<pre>
<font size="2" face="Verdana" color="#FFFFFF">Copies to : c:\windows\system\epp32.exe
</font><font size="1" face="Verdana" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ExecPowerProfile"="C:\\WINDOWS\\system\\epp32.exe" </font> </pre>
</div></blockquote>
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses port
30133</font></div>
<div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Schwindler 1.82</font></font></p></div><blockquote> <div align="left">
<pre>
<font size="1" face="Verdana" color="#00CCFF"><font size="2" color="#FFFFFF">Copies to : c:\windows\user.exe <font color="#FF0000">NOT</font> c:\windows\system\user.exe
</font>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"User.exe"="C:\\WINDOWS\\User.exe"
</font></pre>
</div></blockquote>
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses port
21554</font></div>
<div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">SubSeven 1.9</font></font></p></div><blockquote> <div align="left">
<pre>
<font size="2" face="Verdana" color="#FFFFFF">Copies to : c:\windows\system\mtmtask.dl
</font><font face="Verdana" size="1">- Default:</font><font face="Verdana" size="2"><br>
<font size="1" color="#00CCFF">System.ini<br>
Shell=explorer.exe mtmtask.dl</font></font></pre> </div>
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses port
1243</font></div>
</blockquote><div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">BackConstruction 2.1</font></font></p></div><blockquote> <div align="left">
<pre>
<font size="2" face="Verdana" color="#FFFFFF">Copies to : c:\windows\Cmctl32.exe
</font>
<font face="Verdana" size="1" color="#00CCFF">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"</font></pre>
</div>
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses port
1234</font></div>
</blockquote><div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">Vampire</font></font></p></div><blockquote> <div align="left"><font face="Verdana" size="2">Copies to : <font color="#FFFFFF">c:\windows\system\Sockets.exe</font></font></div><div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Sockets"="c:\windows\system\Sockets.exe"</font></div>
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses port
6669</font></div>
</blockquote>
<div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">Trojan Spirit 2001 a</font></font></p></div><blockquote> <div align="left"><font face="Verdana" size="2">Copies to: c:\WINDOWS\netip.exe </font></div><div align="left"><font face="Verdana" size="2"><i>Win.ini</i> : [windows]run= c:\windows\netip.exe</font></div><div align="left">
<pre><font face="Verdana" size="1" color="#00CCFF">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\netip.exe"
</font><font face="Verdana" size="2" color="#FFFFFF">Uses port 30911
</font></pre>
</div></blockquote><div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Maverick's Matrix </font></font></p></div></div><div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="1" color="#FFFFFF">C:\WINDOWS\Wincfg.exe</font></div></div></div>
<div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wincfg.exe"="C:\WINDOWS\Wincfg.exe" </font> </div></div></div>
</blockquote>
</div>
<div align="left"> <blockquote> <div align="left">
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses
port 1269</font></div>
</div>
</blockquote>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Total Eclypse </font></font></p></div></div></div><div align="left"> <div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="2" color="#FFFFFF">C:\Windows\System\Rmaapp.exe</font><font face="Verdana" size="1" color="#FFFFFF"> '<font color="#00FF00">Note NOT Rnaapp.exe </font></font></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rnaapp"="C:\\Windows\\System\\Rmaapp.exe" </font></div></div></div></div>
</blockquote>
</div></div>
<div align="left"> <blockquote> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="2" color="#FFFFFF">Uses
port 3791 (for FTP)</font></div>
</div></div>
</blockquote>
<div align="left"> <div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">Kuang2 logger AS</font></font></p></div></div></div><div align="left"> <div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="1" color="#FFFFFF"><font size="2">C:\WINDOWS\SYSTEM\K2logas.exe</font></font></div>
</div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2logas.task"="C:\\WINDOWS\\SYSTEM\\K2logas.exe" </font></div></div></div></div>
</blockquote>
</div>
<div align="left"> <div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">Vampire 1.2 </font></font></p></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="2" color="#FFFFFF">c:\windows\system\Winboot.exe<br><br></font></div></div></div></div><div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsBootFile"="c:\\windows\\system\\Winboot.exe"</font></div>
</div></div></div>
</blockquote>
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2"><br> * <font color="#FFFF00">BoBo 1.0 </font></font></p></div></div></div><div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="2" color="#FFFFFF">C:\WINDOWS\SYSTEM\Dllclient.exe<br><br></font></div></div></div></div></div>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DirectLibrarySupport"="C:\\WINDOWS\\SYSTEM\\Dllclient.exe" </font></div></div></div></div></div>
</blockquote>
<div align="left"> <div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">Deep Throat 3.1</font></font></p></div></div></div><div align="left"> <div align="left"> <blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="2" color="#FFFFFF">c:\windows\systray.exe <font size="1" color="#33FF33">'NOT c:\windows\system\systray .exe </font></font></div></div></div></div></div></div>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Systemtray"="c:\\windows\\systray.exe" </font></div></div></div></div></div></div>
</blockquote>
</div>
<div align="left"> <div align="left"> <p> </p><p><font face="Verdana" size="2">* <font color="#FFFF00">Trojan Spirit 1.2</font></font></p></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: c:\WINDOWS\FileName.exe</font> </div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><pre><font face="Verdana" size="1" color="#00CCFF">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\filename.exe
</font></pre> </div></div></div></div></div></div></blockquote>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Eclipse 2000 </font></font></p></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="2">Copies to:
</font><font face="Verdana" size="1" color="#FFFFFF">C:\\WINDOWS\\SYSTEM\\Filename.EXE</font></div>
</div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE" <br><br></font></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF"> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"</font><font face="Verdana" size="1" color="#00CCFF"> <br><br></font></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"</font></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#FFFFFF">Keynames seem to be selected randomly. </font></div></div></div></div></div></div></div></blockquote><div align="left">
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Incommand</font></font></p></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2">Copies to: </font><font face="Verdana" size="2" color="#FFFFFF">Path_Where_Run\Filename.exe</font></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#00CCFF"> <br> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe"</font></div></div></div></div></div></div></div></blockquote><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p></p><p><font face="Verdana" size="1" color="#FFFFFF">. </font></p>
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">BrainSpy</font></font></p></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="2">Copies
to: <font size="2" color="#FFFFFF">C:\WINDOWS\SYSTEM\BRAINSPY
.EXE</font></font></div>
</div></div></div></div></div></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1"><font color="#FFFFFF"><br>
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]<br>
</font><font color="#00CCFF"> "Gbubuzhnw"="C:\\WINDOWS\\SYSTEM\\BRAINSPY
.EXE"" </font> </font></div>
</div></div></div></div></div></div></div></div></div></div></div></div></blockquote><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p> </div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"><font face="Verdana" size="1">[</font><font face="Verdana" size="1" color="#FFFFFF">HKCU</font><font face="Verdana" size="1">\Software\Microsoft\Windows\CurrentVersion\Run]
<br>
<font color="#00CCFF">"Dualji"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE"</font></font></div></div></div></div></div></div></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1" color="#FFFFFF">'Note Keynames are randomized. </font></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">IRC3</font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="1"><u>Win.ini</u> :<font color="#0099FF"><br> load = closew <br><br><font color="#FFFFFF">Closew.bat contains the foloowing commands:<br> @prompt @START C:\WINDOWS\RUNDLLS.EXE /h <br><br> Rundlls.exe is ServU.exe and the /h option runs it hidden. </font></font></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">PC Xplorer </font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"><font face="Verdana" size="2"><font size="1" color="#FFFFFF">[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] </font><font size="1" color="#33CCFF"> <br> "PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe" <br> "TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"<br><br></font></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <font face="Verdana" size="1">[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] <font color="#00CCFF"><br> "PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"<br> "TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"</font></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Online Keylogger </font></font></p></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <blockquote> <div align="left">
<p><font face="Verdana" size="2">Copies
to the drive set
as Temp. </font></p>
<p><font face="Verdana" size="1" color="#00CCFF"> [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] <br> "WinSet"="E:\\system.sys" </font> </p></div></blockquote>
</div>
</div></div></div></div></div><div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Transscout 1.1 +1.2 </font></font></p></div></div></div><div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <blockquote> <div align="left">
<p><font face="Verdana" size="2">Copies
to c:\windows\kernel16.exe
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "kernel16"="C:\\WINDOWS\\kernel16.exe" </font> </p></div></blockquote>
</div>
</div></div></div></div></div>
<div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Ambush<br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left">
<p><font face="Verdana" size="2">Copies
to c:\windows\Zcn32.exe
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br> "ZKA"="Zcn32.exe" </font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote>
<div align="left"> <div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><p><font face="Verdana" size="2">* <font color="#FFFF00">DerSpaeher3 <br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">Copies to C:\WINDOWS\System\dkbdll.exe </font></p><p><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explore"="C:\WINDOWS\System\\dkbdll.exe Hi" </font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">The Prayer 1.2 + 1.3 <br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">Copies to C:\WINDOWS\SYSTEM\dlls32.exe </font></p><p><font face="Verdana" size="1" color="#00CCFF"> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SystemFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe"<br><br> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SysFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe" </font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">NetRaider<br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">Copies to C:\WINDOWS\Rsrcnrs.exe </font></p><p><font face="Verdana" size="1" color="#00CCFF"> [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rsrcnrs"="C:\\WINDOWS\\Rsrcnrs.exe" </font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div>
<div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <p><font face="Verdana" size="2">* <font color="#FFFF00">Subseven 2.x <br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">MSREXE.exe</font><font face="Verdana" size="2">
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Winloader"="MSREXE.exe"</font>
</p>
<p><font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WinLoader"="MSREXE.exe"</font>
<p><font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">Win.ini</font>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">[windows]
load=MSREXE.exe</font>
<p><font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">System.ini</font>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF" size="-2">shell=Explorer.exe
MSREXE.exe</font>
<p><font face="Verdana, Arial, Helvetica, sans-serif" size="-2">Unknown
Start Method Removal:</font>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="-2">Download
this file and double
click it : <a href="http://www.TLSecurity.net/cgi-bin/download.cgi?backdoors/subsevenremoval.reg">Here</a></font>
<p><font face="Verdana, Arial, Helvetica, sans-serif" size="-2">'Note
to Wajii "It was mine
:)"</font>
<p>
</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><div align="left"><p><font face="Verdana" size="2">* <font color="#FFFF00">YAT aka Yet Another Trojan<br></font></font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><blockquote> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left"> <div align="left">
<p><font face="Verdana" size="2" color="#FFFFFF"><u>Start-UP</u>:</font><font face="Verdana" size="1" color="#00CCFF"><font color="#FFFFFF"><br>
<br>
</font><font face="Verdana" size="1" color="#FFFFFF"><img src="../pil.gif" width="5" height="10">
Firstly </font><font color="#FFFFFF">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige<br>
is registered.<br>
<br>
<img src="../pil.gif" width="5" height="10">
</font><font color="#FFFFFF">Then</font>
<b>winstart.bat</b>
<font color="#FFFFFF">is
created if it doesn't
exist yet, this file
is normally used by
installation generators
to manipulate/delete/exchange/register
DLL or other files.<br>
<br>
Content of </font><b>winstart.bat</b></font><font face="Verdana" size="1">
:</font><font face="Verdana" size="1" color="#FFFFFF">
<br>
<br>
</font><font face="Verdana" size="1"><b>ÿ</b></font><font face="Verdana" size="1" color="#FFFFFF"><br>
<br>
This might seem wired,
but this simply means
Windows will check for
</font><font face="Verdana" size="1"><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>ÿ</b></font><font size="1" face="Verdana, Arial, Helvetica, sans-serif">.bat</font></font><font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#00CCFF">
</font><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>ÿ</b>.exe
<b>ÿ</b>.com </font><font face="Verdana" size="1" color="#00CCFF"><font color="#FFFFFF">to
be executed if they
exist, Dos/Windows uses
the directory set in
the PATH variable in
autoexec.bat to search
for the executables.<br>
<br>
</font><font color="#FFFFFF"><img src="../pil.gif" width="5" height="10">
Then <b><font color="#00CCFF">autoexec.bat</font></b>
is changed and </font><font face="Verdana" size="1"><b>ÿ</b></font></font><font face="Verdana" size="1">
is appended at the end.</font><font face="Verdana" size="1" color="#00CCFF"><font face="Verdana" size="1" color="#FFFFFF"><br>
</font><font color="#FFFFFF"><br>
</font><font face="Verdana" size="1" color="#FFFFFF"><img src="../pil.gif" width="5" height="10">
Then <b><font color="#00CCFF">system.ini</font></b>
is changed and</font><br>
shell=explorer.exe is </font><font face="Verdana" size="1">changed to</font><font face="Verdana" size="1" color="#00CCFF"><br> shell=explorer.exe Path_were_ran/NCHARGE.exe /NOMSG <br><font color="#FFFFFF"><br>
</font><font face="Verdana" size="1" color="#FFFFFF"><img src="../pil.gif" width="5" height="10">
Then <b><font color="#00CCFF">wini.ini</font></b>
is changed and</font><br>
<font color="#FFFFFF"> run = is changed to<br>
run = </font>"very
large space here"
Path_were_ran/NCHARGE.exe
/NOMSG <br>
</font><font face="Verdana" size="1" color="#FFFFFF"><br>
<img src="../pil.gif" width="5" height="10">
Then <b><font color="#00CCFF">ÿ.bat</font></b>
is created (note the
nice character, which
can be greated using
the ALT-Number combination).<br>
<br>
</font><font face="Verdana" size="1"><br>
Content of</font><font face="Verdana" size="1" color="#00CCFF"><b>
ÿ.bat</b><font color="#FFFFFF">
: <br>
<br> @echo off if exist <br> F:\Directory_where_ran\NCHARGE.exe goto end <font color="#00FF00"><br> 'If backdoor file exists goto end.</font><br><br>
if exist C:\WINDOWS\command\msdos.sys
copy C:\WINDOWS\command\msdos.sys
</font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_where_ran\NCHARGE.exe</font><font color="#FFFFFF">
> nul<br>
</font><font face="Verdana" size="1" color="#FFFFFF"><font color="#00FF00">'If
backdoor backup does
exist copy the backup
to the backdoor location.
The > NUL means that
all comments dos usually
displays when copying/deleting
etc re NOT displayed,
thus it will run hidden.</font><br>
</font><font color="#FFFFFF">
<br>
<br>
if exist </font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_where_ran\NCHARGE.exe</font><font color="#FFFFFF">
goto end<br>
<br>
if exist C:\WINDOWS\system\windows.dat
copy C:\WINDOWS\system\windows.dat
</font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_wherer_ran\NCHARGE.exe</font><font color="#FFFFFF">
> nul <br>
<br>
if exist </font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_wherer_ran\NCHARGE.exe</font><font color="#FFFFFF">
goto end if exist C:\WINDOWS\command\drvspace.bat
copy C:\WINDOWS\command\drvspace.bat
</font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_wherer_ran\NCHARGE.exe</font><font color="#FFFFFF">
> nul <br>
<br> :end C:\WINDOWS\regedit.exe C:\WINDOWS\reg.dat > nul <br><font color="#00FF00">'Registers the autostart key again silently. To achieve this the option /s could also have been used.<br><br></font></font></font><font face="Verdana" size="1">Content of <b><font color="#00CCFF">reg.dat</font></b> :<br><br>
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Batterieanzeige"="</font><font face="Verdana" size="1" color="#FFFFFF">F:\Directory_where_ran\NCHARGE.exe
/nomsg </font><font face="Verdana" size="1">"
<br>
</font><font face="Verdana" size="1" color="#00FF00">'Using
the RunServiceOnce key
makes it more stealthy
against Anti-Trojan
programs which usually
do NOT check this key,
because it gets deleted
automatically.</font><font face="Verdana" size="1">
<br>
<br> Note that all the filenames and filepathes are fully configurable, so this is only the default installtion of YAT.<br><font size="2"><br><u>Removal</u>: <br><br>
<font size="1">Delete
</font></font><font face="Verdana" size="1" color="#00CCFF"><font face="Verdana" size="1" color="#FFFFFF">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige</font>
<b>and</b></font><font face="Verdana" size="1" color="#00CCFF"><b>ÿ.bat</b></font><b>
</b>, and change the<font face="Verdana" size="1" color="#00CCFF"><b>
system.ini</b></font>
back. </font></p>
</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Incommand
1.3 <br>
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\Msie50h.exe
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Win.ini</font><br>
<font face="Verdana" size="1" color="#00CCFF">run=Msie50h.exe
<br>
<br>
</font><font face="Verdana" size="1">Version
Info of the File :
<font color="#00CCFF">1.3.0.32824</font><br>
Product Name : <font color="#00CCFF">Microsoft
Internet Explorer
Advanced Settings
Module </font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Barock
1.0 <br>
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">SYSTEM\WCheckUp.exe</font><font face="Verdana" size="2">
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WCheckUp"="C:\WINDOWS\SYSTEM\WCheckUp.exe"
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Net
Controller 1.08</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">system.exe</font><font face="Verdana" size="2">
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System"="C:\\WINDOWS\\System.exe"</font></p>
<p><font face="Verdana" size="1">The
Server has to be started
from the C drive,
else it will fail
to install itself
succesfully.</font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Intruse
Pack 1.27b<br>
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">SYSTEM\nameoftheserver.exe</font><font face="Verdana" size="2">
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Wind"="C:\\WINDOWS\\SYSTEM\\Nameoftheserver.EXE"
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Prosiak
0.70 Beta 5<br>
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">SYSTEM\</font><font face="Verdana" size="2">prosiak_trojan.exe
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1"><font face="Verdana" size="1" color="#00CCFF">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Trojan horse"="prosiak_trojan.exe"
<br>
<br>
</font><font face="Verdana" size="1">'Note
: This is the Default
Key</font><font face="Verdana" size="1">
and very likely to be
changed</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">*
<font color="#FFFF00">Asylium
Family (0.1 & 0.11
& 0.12 & 0.13)<br>
</font></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<blockquote>
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<div align="left">
<p><font face="Verdana" size="2">Copies
to C:\WINDOWS\</font><font face="Verdana, Arial, Helvetica, sans-serif" size="2">SYSTEM\</font><font face="Verdana" size="2">wincmp32.exe
</font></p>
<p><font face="Verdana" size="1" color="#00CCFF">
</font><font face="Verdana" size="1"></font><font face="Verdana" size="1" color="#00CCFF">[System.ini]<br>
shell=explorer.exe wincmp32.exe</font></p>
<p><font face="Verdana" size="1">This
is the default starting
method, note that these
are fully customisable
including the filename
and registry keynames.</font></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p><font face="Verdana" size="2"><b>1.5 Usefull Url's</b><br>
<br>
</font></p>
</div>
</div><div align="left"> <blockquote> <div align="left"><font face="Verdana" size="2">AVP definetly the BEST<i> allround</i> scanner is avaible at<br> <a href="http://www.avp.com">http://www.avp.com</a></font> </div>
<div align="left"> <div align="center"> <div align="left"><font face="Verdana" size="2"><br> Atguard Firewall to prevent inbound connection to servers and other security related issues. <a href="http://www.atguard.com">http://www.atguard.com</a></font></div></div></div>
<div align="left"> <div align="center"> <div align="left"><font face="Verdana" size="2"><br> Trojan Defence Suite. Complete Anti-Trojan Suite.<br></font><a href="http://www.multimania.com/ilikeit/tds2.htm"><font size="2" face="Verdana">http://www.multimania.com/ilikeit/tds2.htm</font></a><font face="Verdana" size="2"><br>
</font></div>
</div></div><div align="left"> <div align="center"> <div align="left"><font face="Verdana" size="2"><br><br></font></div></div></div>
<div align="left"> <div align="center">
<div align="left"><font face="Verdana" size="2"><br>
</font><font face="Verdana" size="2"> <br>
</font></div>
</div>
</div>
<div align="left">
<div align="center">
<div align="left">
<p><font face="Verdana" size="2"> <u>This FAQ is Copyrighted TLSecurity
(Int_13h) </u> <br>
Contact me by e-mail at <a href="mailto:Webmaster@TLSecurity.net">Int_13h</a><br>
<br>
</font><font face="Verdana" size="2">You want to contribute
something, a port number, a removal Key or just Spot an Error
? Make sure<b> </b>to mail me <br>
</font></p>
<p align="left"><font face="Verdana" size="2"><FYN></font></p>
<p align="left"><font face="Verdana" size="2" color="#990033"><b><font color="#00FF00">©
TL S e c u r i t y</font></b></font><font face="Verdana" size="2"><a href="http://www.TLSecurity.net/"><br>
http://www.TLSecurity.net</a></font></p>
<p align="right"><font face="Verdana" size="2"><br>
</font><font face="Verdana" size="2"> <a href="http://www.estat.com/getstats?serial=1400178319"><b><img src="http://perso.estat.com/cgi-bin/perso/1400178319?page=TROJANSREMOVAL%20FAQ" border="0"></b></a><br>
<br>
</font></p>
</div>
</div>
</div>
</blockquote>
</div>
</table><br></body></html>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!