| VID |
24051 |
| Severity |
40 |
| Port |
17499,17490 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor CrazzyNet is detected.
CrazzyNet is an trojan horse program created July 2000, which has many features. It's distributed the version 3.7, 3.7.1, 3.7.5, 3.7.8, 5.0, 5.2, 5.2.1. This backdoor consists of Client.exe(Client program), Server.exe(server program). It uses 17499, 17500 or 17490, 17500 TCP port as default port, depending on the version, which can't be changed. If this backdoor is running, you can find the registry key named "Reg32" that has a data value of Registry32.exe in the registry located at 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Also, once a system is infected, it alters win.ini and system.ini files. It comes with a NetScanner to help finding infected hosts.
With the CrazzyNet backdoor, a remote attacker can do the following :
- Get cached passwords
- Get ICQ UIN/Owner
- Get Colors
- Get Applications/Applications Path
- Get/Set system information(computer name, Username, OS, resolution, ....)
- Capture screen
- Send message
- CrazzyNet Scanner
- Log off/Shut down/Reboot system
- log all keystrokes
- File management(upload, download and execute arbitrary files, ..)
- Manipulate the Windows session
- Edit the server
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/5541.php
http://www.tlsecurity.net/backdoor/crazynet.html
http://www.glocksoft.com/trojan_list/CrazzyNet.htm |
| Recommendation |
Remove it from your computer :
1. Remove the "Reg32" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Open the system.ini(Usually c:\windows\system.ini) and change the key: shell=Explorer.exe Registry32.exe to shell=explore.exe with any text editing program.
3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=Registry32.exe under [Windows]with editing program.
4. Reboot the computer or close Registry32.exe
5. Delete the trojan file Registry32.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
