| VID |
24022 |
| Severity |
40 |
| Port |
10167 |
| Protocol |
UDP |
| Class |
BackDoor |
| Detailed Description |
The Portal of Doom (PoD) backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. This backdoor includes standard backdoor features, including sending messages, reading files, starting your screensaver, reassigning your mouse buttons, as well as advanced features like stealing your dialup passwords. Portal of Doom installs itself to the C:\Windows\System directory found on Windows 95 and 98 systems. The C:\Windows\System directory is not a default Windows NT directory; however, if this directory exists, the backdoor will install itself and run under Windows NT.
Portal of Doom listens on UDP ports 10067 and 10167. If you send a UDP packet to port 10167 with 3 bytes of data that are "pod", the backdoor will return:
[@]xforce
* References:
http://www.iss.net/security_center/static/2323.php
http://xforce.iss.net/alerts/advise30.php |
| Recommendation |
To remove the Portal of Doom backdoor from the infected computer:
1. Stop the Portal of Doom program (ljgz.exe) from running. This process is different based on the version of Windows you are running.
- Windows 95/98: Restart the computer in MS-DOS mode. From a command prompt, delete C:\Windows\System\ljsgz.exe.
- Windows NT: Press CTRL+ALT+DEL, then click the Task Manager button to start the NT Task Manager. Click the Processes tab, and search the list for ljgz.exe. Select ljgz.exe, then click End Process.
2. Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services registry key.
3. Find the registry entry named String that has a data value of C:\Windows\System\lgsgz.exe, and delete this registry entry. |
| Related URL |
CVE-1999-0660 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
