| VID |
24039 |
| Severity |
40 |
| Port |
1441 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Remote Storm is detected.
Remote Storm is a trojan horse program created Feb. 2000, which is written in Visual Basic.
This backdoor consists of Remote Storm.exe(Agent program), Extract.exe(Server program). It uses 1441 TCP port as default port, which can't be changed. "Mswinsck.ocx" is required to run the trojan. If this backdoor is running, you can find the registry key named "WinManager" that has a data value of C:\WINDOWS\System\DllRun.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Remote Storm backdoor, a remote attacker can do the following :
- Display illegal operation
- Enable/Disable clipboard
- Enable/Disable double click
- Exit windows
- Fake format
- File manager
- Minimize all windows
- Open/Close CD-ROM
- Send message/text
- Send to URL
- Server setup
- Set computer name
- Set resolution
- Start screen saver
- Swap mouse buttons
- View/close running windows
Remote Storm has some unseen features, which is nice because it is not destructive on the other hand it is scary. It can display a fake formatting of the server. This will not format the server's computer but just simulates a disk format. Also, it can display fake illegal operation messages. Plus this can be configured that if the program it is saying had an illegal operation and is running Remote Storm will actually close it.
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/reference/vuln/RemoteStorm.htm
http://www.iss.net/security_center/static/5362.php |
| Recommendation |
Remove it from your computer :
1. Remove the WinManager key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close DllRun.exe.
3. Delete the trojan file DllRun.exe and DllCount.sys in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
