Backdoor.Homutex

Backdoor.Homutex is a Trojan horse with back door capabilities that allows a remote attacker to have unauthorized access to the compromised computer.

When Backdoor.Homutex is executed, it performs the following actions:

1. Creates a mutex named "HorseMutexExTest" so that only one copy of the worm is run on the infected computer.

2. Drops the following files:

* %System%\abcedg21.dll
* %System%\drivers\usbcamd0.sys

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Adds the value:

"PackedCatalogItem" = "%System%\abcedg21.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\ParametersProtocol_Catalog9\Catalog_Entries\000000[TWO RANDOM DIGITS]

to add a layered service provider (LSP) to the system TCP/IP stack.

The installed LSP may allow a remote attacker to monitor network traffic on the compromised computer.

4. Attempts to send the following information to a remote server by connecting to 218.57.142.210 on TCP port 1443

* Operating system version
* CPU Speed
* Memory Size
* MAC address
* IP address
* Computer Name
* User Name

5. Opens a back door by connecting to 218.57.142.210 on TCP port 1444 and allows a remote attacker to perform unauthorized actions on the compromised computer

Removal Instructions
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.homutex.html

To delete the value from the registry
1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\ParametersProtocol_Catalog9\Catalog_Entries\000000[TWO RANDOM DIGITS]
4. In the right pane, reset the value:

"PackedCatalogItem" = "%System%\abcedg21.dll"

to the default value, which may be:

"PackedCatalogItem" = "%System%\msafd.dll"
5. Exit the Registry Editor.