| VID |
24047 |
| Severity |
40 |
| Port |
13473 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Chupacabra1.0 is detected.
Chupacabra1.0 is an trojan horse program created Oct. 1999, which is written in Visual Basic 5. This backdoor consists of Chupacabra.exe(Client program), server.exe(Server program). It uses 13473 TCP port as default port, which can't be changed. MSwinsck.ocx and VB5 runtime files are required to run the trojan. It's a destructive trojan that has a format feature.
But, Chupacabra is rather old and doesn't have many features so, this trojan is probably not used much. If this backdoor is running, you can find the registry key named "System Protect" that has a data value of winprot.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices',
'HKEY_CURRNET_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and
'HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Chupacabra backdoor, a remote attacker can do the following :
- Close/Log off/Reboot windows
- Delete file
- Disable/Enable CTRL+ALT+DEL
- Format computer
- Get ICQ user
- Get time
- Hide/Show task bar
- Send message
- Start screensaver
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/5304.php
http://www.dark-e.com/archive/trojans/chupacabra/10/index.shtml
http://www.tlsecurity.net/backdoor/Chupacabra.htm |
| Recommendation |
Remove it from your computer :
1. Remove the System Protect key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices', 'HKEY_CURRNET_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and 'HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' by using regedit or any other registry editing program.
2. Open the win.ini(Usually c:\windows\win.ini) and remove the key run=winprot.exe and load=winprot.exe under [Windows] with any text editing program.
3. Reboot the computer or close winprot.exe
4. Delete the trojan file winprot.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
