SECUI Corporation


	Korean

<< Back

VID	24048
Severity	40
Port	23432
Protocol	TCP
Class	BackDoor
Detailed Description	Backdoor Asylum is detected. Asylum is an open source trojan horse program created April 2000, which is written in Assembler(server) and Delphi(client). It's distributed the version 0.1, 0.1.1, 0.1.2, 0.1.3, 0.1.4, mini1.0, mini1.1 and asylum 0.1.3 Multipager, Web asylum 1.0. This backdoor consists of client.exe(Client program), server.exe(Server program) and config.exe(server configuration program). It uses 23432 TCP port as default port, which can be changed by using config.exe. This config.exe is an "Edit Server" program that allows a remote attacker to customize the backdoor server to run on arbitrary ports and use combinations of startup methods through registry, system.ini, win.ini. If this backdoor is running, you can find the autoload information as the follow: 1. the registry key named "SystemAdministration" in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' or 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' or 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. 2. the key shell=Explore.exe wincmp32.exe under [boot] in the system.ini. 3. the key load=c:\windows\wincmp32.exe or the key run=c:\windows\wincmp32.exe under [Windows] in the win.ini. With the Asylum backdoor, a remote attacker can do the following : - Upload/Execute file - Reboot computer - Remove server - Send to webpage - Connect through a proxy - Console or GUI client - Edit server(startup method, password, port, ICQ notification, ...) * Platforms Affected: Microsoft Windows Any version * References: http://www.iss.net/security_center/static/4849.php http://www.dark-e.com/archive/trojans/asylum/ http://www.tlsecurity.net/backdoor/asylium.html
Recommendation	Remove it from your computer : 1. Remove the "SystemAdministration" key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program, if it exists. 2. Open the system.ini(Usually c:\windows\system.ini) and if the key: shell=Explore.exe wincmp32.exe under [boot], exists change it to shell=explore.exe with any text editing program. 3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: load=c:\windows\wincmp32.exe or the key: run=c:\windows\wincmp32.exe under [Windows]with editing program, if they exist. 4. Reboot the computer or close the trojan wincmp32.exe. 5. Delete the trojan file wincmp32.exe in the windows directory. -- OR -- Remove it from your computer by using a vaccine program(anti-virus program).
Related URL	(CVE)
Related URL	(SecurityFocus)
Related URL	(ISS)