| VID |
24036 |
| Severity |
40 |
| Port |
10607 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Coma is detected.
Coma is a trojan horse program created Mar. 1999, which is written in Visual Basic 5.
This trojan is old and most likely not used at all. It consists of comserv.exe(Agent program), comaclient.exe(Server program) and use 10607 TCP port as default port, which can't be changed.
It requires Msvbvm50.dll and Mswinsck.ocx to run the trojan.
If this backdoor is running, you can find the registry key named "RunTime" that has a data value of C:\Windows\Msgsrv36.exe, in the registry located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Coma backdoor, a remote attacker can do the following :
- Chat with server
- Close server
- Execute programs
- Transfer files using FTP
- Retrieve system information
- Listen
- Send Message
- Open/Close CD-ROM
- Print Message
- Remove server
- Send Command
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/reference/vuln/Coma_Response.htm
http://www.dark-e.com/archive/trojans/coma/index.shtml
http://www.iss.net/security_center/static/2386.php |
| Recommendation |
Remove it from your computer :
1. Delete the registry key named 'RunTime' located at KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ by using regedit or another registry editing program.
2. Reboot the computer or close the trojan.
3. Delete the trojan file Msgsrv36.exe in the windows directory.
-- OR --
Remove it from your computer by using a vaccine program. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
