Backdoor.Spookdoor is a Trojan horse that opens a back door and allows unauthorized access to the compromised computer.
When Backdoor.Spookdoor is executed, it performs the following actions.
1. Creates a copy of itself as %Windir%\help\BHY1978.CHI.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt
2. May create a copy of itself in the %System% folder. It has been reported that the file name is selected by the attacker.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. May also add a value to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that the risk runs every time Windows starts.
Note: The value added may vary, as selected by the attacker.
4. Opens a back door and listens on a random port number.
5. Allows a remote attacker to perform any of the following actions:
* Upload and download files through FTP.
* Open a shell and run commands.
* Capture screen and Web cam images.
* Open a web browser.
REMOVAL INSTRUCTIONShttp://securityresponse.symantec.com/avcenter/venc/data/backdoor.spookdoor.html[/b]]http://securityresponse.symantec.com/avcenter/venc/data/backdoor.spookdoor.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
5. In the right pane, delete the values that reference the files noted in step 3c.
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
