backdoor.g_door.2
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Backdoor.G_Door.20
This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Installation
When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE"
[HKEY_CLASSES_ROOT\txtfile\shell\open\command] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1"
[HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\command] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1"
The name of the Windows system directory (here it is "C:\\WIN98\SYSTEM") depends on system configuration.
As a result of such a registration in the system registry, the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way, the server starts on Windows start-up, and restarts if its process is unloaded from the system memory by a user.
Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.
As a result, the backdoor server-removal procedure is not a simple problem: it is impossible to remove or rename the KERNEL32.EXE backdoor server file (it is active and locked by the system); the registry keys are controlled by the server (this makes it impossible to reboot the system with a "clear" registry).
Under Win9x, to get rid of this backdoor, it is possible to boot a computer in DOS mode and remove the KERNEL32.EXE file from the Windows system directory, and after booting Windows, it is necessary to remove references to this file in the system registry. Under WinNT, it is necessary to kill the backdoor's process in Windows memory, then delete the server EXE file and clear the system registry keys.
Server
To connect to the client component, the backdoor server uses the port 7626 and periodically listens to it. When the server is connected with a client, it executes client commands and takes control over the victim computer: manipulates a victim's file system - copies files, moves, deletes, creates, etc.
Client
The client is able to scan an adjusted subnet for active servers. On connection to a server, the client gains control over a victim computer's resources. The client GUI is adapted to Chinese.
Copyright @2006 backdoor.g_door.2