Subscribe
The backdoor provides a remote malicious user with the ability to perform the following actions on the victim machine:
- launch an HTTP proxy on the victim machine
- add/ delete/ launch/ stop system services
- gain total access to the hard disk (view folder contents, copy/ rename/ delete files, download and upload files to/ from the victim machine)
- launch processes
- execute random console commands on the victim machine
- access/ create/ delete/ edit registry keys and their parameters
- get the following information about the system: operating system version, processor type and frequency.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the backdoor process.
- Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file:
%System%\winlog.exe
- Delete the following parameter from the system registry (see
What
is a system registry and how do I use it for details on how to edit the registry).
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe %System%\winlog.exe"
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. Modifications of this program's components vary in size, from 9KB to 62KB.
InstallationWhen launched, the backdoor copies its executable file to the Windows system directory:
%System%\winlog.exe
It adds a link to its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe %System%\winlog.exe"
The original file will then be deleted.
Payload
Hot Articles