AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 07, 2009, 01:41:12 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5329 Members
Latest Member: ErereGatNeT
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Berbew.T Trojan Horse 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Backdoor.Berbew.T Trojan Horse  (Read 279 times)
Brad
SysAdmin
Tech Team
Hero Member
********
Offline Offline

Posts: 391



View Profile
Backdoor.Berbew.T Trojan Horse
« on: July 07, 2005, 12:06:53 AM »
Backdoor.Berbew.T is a Trojan that opens a back door to allow a remote attacker unauthorized access to the compromised computer.

When Backdoor.Berbew.T is executed, it performs the following actions:

   1. Creates the following files:

          * %System%\[RANDOM NAME].dll
          * %System%\[RANDOM NAME].exe

            Or:

          * %System%\[RANDOM NAME]32.dll
          * %System%\[RANDOM NAME]32.exe

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Adds the value:

      "InProcServer32" = "%System%\[RANDOM NAME].dll"

      to the registry subkey:

      HKEY_CLASSES_ROOT\CLSID\{F28A40D7-AD0E-034A-C651-5F0ED76232E6}

      so that it is executed every time Windows starts.

   3. Adds the value:

      "tmp" = "[ORIGINAL TROJAN FILE NAME].exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D

      as an infection marker.

   4. Adds the value:

      "Internet Explorer" = "{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      ShellServiceObjectDelayLoad

   5. Opens a back door on a random port to allow the remote attacker to have unauthorized access to the compromised computer. The attacker may be able to perform the following actions on the compromised computer:

          * Start a covert proxy server
          * Download and execute remote files

   6. Uses rootkit technology to hide its processes, files, and registry subkeys.

REMOVAL INSTRUCTIONS   
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.t.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_CLASSES_ROOT\CLSID\{F28A40D7-AD0E-034A-C651-5F0ED76232E6}

   5. In the right pane, delete the value:

      "InProcServer32" = "%System%\[RANDOM NAME].dll"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D

   7. In the right pane, delete the value:

      "tmp" = "[ORIGINAL TROJAN FILE NAME].exe"

   8. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      ShellServiceObjectDelayLoad

   9. In the right pane, delete the value:

      "Internet Explorer" = "{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"

  10. Exit the Registry Editor.
Logged
Mambo Hosting Resources
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Berbew.T Trojan Horse « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!