| VID |
24057 |
| Severity |
40 |
| Port |
11223 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Progenic is detected.
Progenic is an trojan horse program created April 1999, which is written in Visual Basic 6. It distributed the version ¥â1.0, ¥â2.0, ¥â3.0, 1.0, 1.1. This backdoor consists of ProgenicT.exe(Client program), AntiNuke.exe(server program). It uses 11223 TCP as default port, which can't be changed. When the server is first ran it displays a messages saying "Runtime error 403 wrong statement". So the user thinks that this program has an error and isn't started. If this program is running, you can find the registry key named "Kernel32(or Scandisk)" that has a data value of C\windows\scandiskc.exe(or C:\Windows\Scandiskwr.exe) in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Also, it alters the file win.ini.
With the Dagger backdoor, a remote attacker can do the following :
- Get the cached, e-mail password
- Get system information(drives, resolution, username, computer name, windows version, ...)
- Get the name of ISP and ISP-username
- Get latest visited URLs, start page
- Get ICQ path, uin.
- File management
- Close ICQ
- Shutdown/Reboot the system
- Hide/Show/Swap mouse
- Key logger
- Send to URL
- Close/Remove server
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/3119.php
http://www.dark-e.com/archive/trojans/progenic/index.html
http://www.megasecurity.org/trojans/p/progenictrojan/Progenictrojan_all.html |
| Recommendation |
Remove it from your computer :
1. Remove the ""Kernel32(or Scandisk)" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Open the win.ini(usually c:\windows\win.ini) and remove the key: "run=c:\windows\scandiskc.exe" under [Windows] by using any text editing program.
3. Reboot the computer or close scandiskc.exe(or Scandiskwr.exe).
4. Delete the trojan file scandiskc.exe(or Scandiskwr.exe) in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
