| VID |
24056 |
| Severity |
40 |
| Port |
15382 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor SubZero is detected.
SubZero is an trojan horse program created Dec. 2000, which is written in Delphi 5. This backdoor consists of SubZero.exe(Client program), server.exe(server program). It uses 15382 TCP as default port, which can be changed by using server setting menu. The ICQMAPI.dll file is required to run the trojan. The trojan will not be developed any more and source code will not be released. If this backdoor program is running, it copies itself to the windows system directory does, but, dose not register. If it registers, you can find the registry key named "taskmann.dll" that has a data value of C\WINDOWS\SYSTEM\taskmann.dll.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Dagger backdoor, a remote attacker can do the following :
- Key logger
- ICQ/AIM/IE/MSN/YAHOO Spy
- Chat with server
- Change resolution, volume, start button icon, windows colors,
- Hide/Show/disable/remove clock, start button, systray, task bar
- File Management( Find/Download/Excute file, FTP, ...)
- Get AIM, RAS, cached password
- Port redirect
- Send message
- Send to URL
- View/Kill process
- Exit/Log off/Power off/Reboot/Shudown windows
- Get system information(user, OS, drives, directory, ... )
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.dark-e.com/archive/trojans/subzero/alpha/index.shtml
http://www.megasecurity.org/trojans/s/subzero/Subzero_alpha.html
http://www.glocksoft.com/trojan_list/SubZero.htm |
| Recommendation |
Remove it from your computer :
1. Remove the "taskmann.dll" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close taskmann.dll.exe.
3. Delete the trojan file taskmann.dll.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
