| VID |
24045 |
| Severity |
40 |
| Port |
666,5401,5402 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Back Construction is detected.
Back Construction is a simple trojan horse program created June 1999. This backdoor consists of client.exe(Agent program), Server.exe(Server program). It can open a FTP server on port 21 TCP. Also it opens the following ports: 666, 5401, 5402 TCP and connects to them when the client is in use. These ports can't be changed. If this backdoor is running, you can find the registry key named "Shell" that has a data value of Cmctl32.exe in the registry located at 'HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run.
With the Back Construction backdoor, a remote attacker can do the following :
- Chat
- Email using victim
- File management (upload, download, create a directory, ...)
- Get cached passwords
- Shutdown/Reboot/Logoff/Poweroff
- Start menu on/off
- View/Kill applications
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.dark-e.com/archive/trojans/backc/21/index.shtml
http://www.glocksoft.com/trojan_list/Back_Construction.htm
http://www.iss.net/security_center/static/3222.php |
| Recommendation |
Remove it from your computer :
1. Remove the "Shell" key located in the registry at: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run and the P23H located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings by using regedit or any other registry editing program.
2. Reboot the computer or close the Cmctl32.exe
3. Delete the trojan file Cmctl32.exe in the windows directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
