Korean

<< Back VID 24020 Severity 40 Port 555 Protocol TCP Class BackDoor Detailed Description The phAse Zero backdoor is installed. This backdoor allows an intruder to take the control of the computer. With the phAse zero backdoor, an attacker can do the following: - upload and download files to the computer using FTP - execute programs - delete and move files - read and write to the registry - delete all files from the Windows system directory with the 'Trash Server' command phAse Zero runs on Windows system. By default, phAse Zero listens on TCP port 555. This port can be easily changed with the server setup program. * References: http://xforce.iss.net/alerts/advise30.php http://www.iss.net/security_center/static/2326.php Recommendation To remove the phAse zero backdoor from your computer: 1. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. 2. Find the registry entry named msgsrv32.exe that has a data value of C:\Windows\System\msgsrv32.exe. If you cannot find this registry entry, refer to the steps below for identifying the phAse zero registry entry. 3. Delete this registry entry. 4. Delete msgsrv32.exe from the Windows system directory. To identify the phAse zero registry entry and remove the phAse zero backdoor: 1. Review the entries in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. 2. Note any registry entries for programs that you cannot identify. One of these suspicious programs may be phAse zero. The data value contains the file and path name for the executables that run when Windows is started. 3. Using Notepad, open each suspicious executable file. 4. Search for the text phAse zero in each file to determine if that file is the phAse zero executable. 5. Delete the executable file that contains the text phAse zero. 6. Using Regedit, delete the entry associated with this executable file from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. Related URL CVE-1999-0660 (CVE) Related URL (SecurityFocus) Related URL (ISS)