AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 10:07:14 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5356 Members
Latest Member: Gagabaksik
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Mepcod 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Backdoor.Mepcod  (Read 407 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
Backdoor.Mepcod
« on: August 26, 2005, 10:20:29 PM »
Backdoor.Mepcod is a Trojan horse that opens a back door and downloads a file containing additional commands.

When Backdoor.Mepcod is executed, it performs the following actions:

   1. Copies itself as the following file:

      %Windir%\McAfeeScanPlus.exe.

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   2. Drops the following file and opens it with mspaint.exe:

      %CurrentFolder%\me.bmp

      Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

   3. Creates the following file, which is used to log account information:

      %Windir%\winlogon9.log

   4. Adds the value:

      "McAfeeScanPlus" = %Windir%\McAfeeScanPlus.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   5. Adds the value:

      "%Windir%\McAfeeScanPlus.exe" = "%Windir%\McAfeeScanPlus.exe:*:Enabled:McAfeeScanPlus"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
      Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

      to enable the backdoor functionality.

   6. Attempts to download files from [http://]diji-realm.net/[REMOVED]/BN2005/LogMe.php

   7. Attempts to download additional commands from [http://]diji-realm.net/[REMOVED]/BN2005/binfo.txt.

REMOVAL INSTRUCTIONS
See: [url]http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mepcod.html[/url]


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.
   3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "McAfeeScanPlus" = %Windir%\McAfeeScanPlus.exe

   5. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
      \Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

   6. In the right pane, delete the value:

      "%Windir%\McAfeeScanPlus.exe" = "%Windir%\McAfeeScanPlus.exe:*:Enabled:McAfeeScanPlus"

   7. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Mepcod « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!