| VID |
24055 |
| Severity |
40 |
| Port |
12349,5000 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor BioNet is detected.
BioNet is an trojan horse program created Nov 1999, which is written in Delphi. It's distributed the version BioNet 0.84, 0.87, 0.92, 0.92NT, ... , 3.02ME~3.18ME, 4.01, BioNet Lite 1.4, CGI Logger, etc. This backdoor consists of BioNet.exe or BNLite.exe(Client program), Server.exe(server program) and editor.exe or builder.exe(server editing program). For the BioNet Lite, it uses 5000 TCP as default port, and the general version uses 12349 TCP as default port. This default port can be changed with editing program by a remote attacker. Once a system is infected , it alters Wininit.ini and replaces explorer.exe with explorer.e. It may also infect Awadrp32.exe, Mkcompat.exe and Rnaap.exe. BioNet makes it impossible to reboot to DOS mode to delete the trojan. It evades anti-virus and firewall programs. Every server sent out is possible to be unique with combinations of more than 50 different features using the server builder. Because of this may manual removal instruction not be totally reliable.
If this backdoor program is running, you can find the registry information as the follow, depending on the version.
* For the version 0.84, 0.87, 0.92, 0.92NT, 2.21, 2.61a, 3.02ME~3.18ME, 4.01, BioNet Lite etc.:
- The registry value name : WinLibUpdate, ProcMon(BioNet Lite)
- The value data : C\WINDOWS\libupdate.exe, C\WINDOWS\procmon.exe(BioNet Lite)
- The registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
With the BioNet backdoor, a remote attacker can do the following :
- Anti-Virus program/Firewall evasion
- Attacker other severs by IGMP flooding
- Files Management(search/download/upload/execute file)
- Get cached and email passwords
- Get system information (resolution, OS, etc.)
- Key logger
- Port Re-director
- Remove/Close, Update server
- Send message box, send to URL
- Shutdown/Reboot/Power Off/Terminate windows
- View/Kill process
- ICQ notification
- Registry management
- Scheduling
- IP/Port scanner
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/reference/vuln/Email_BioNet.htm
http://www.megasecurity.org/trojans/b/bionet/Bionet_all.html |
| Recommendation |
Remove it from your computer :
* For the version 0.84, 0.87, 0.92, 0.92NT, 2.21, 2.61a, 3.02ME~3.18ME, 4.01, etc.:
1. Remove the "WinLibUpdate" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close libupdate.exe
3. Delete the trojan file libupdate.exe in the windows system directory.
* For the version BioNet Lite :
1. Remove the "ProcMon" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close procmon.exe
3. Delete the trojan file procmon.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
