| VID |
24058 |
| Severity |
40 |
| Port |
1001,9580,6711 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Theef is detected.
Theef is an trojan horse program created May 2001, which is written in Delphi 3.0. It distributed the version 1.1, 1.2, 1.21, 1.22, 1.23, 1.30, 1.31, 1.33, 1.34, 1.35, 1.37, LE1.0, LE1.11. Depending on the version, the used port, auto-start method, filename, features etc. is variety.
* The registry location:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run (V1.1, 1.2, 1.22, 1.23, 1.37, Lite 1.0, 1.11)
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices (V1.22, 1.23)
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (V1.22, 1.23)
* The registry value name:
- ocxreg(V1.1, 1.2, 1.22, 1.23), Queue(V1.37), AutoUpdate(Lite 1.0), UpdateComponent(Lite 1.11)
* The value data:
- C:\WINDOWS\SYSTEM\ocxreg.exe(V1.1, 1.2, 1.22, 1.23)
- c:\windows\Queue.exe(V1.37)
- C:\WINDOWS\wincheck.exe(Lite 1.0)
- C:\WINDOWS\Lib32.exe(Lite 1.11)
* The default used port:
- 1001(V1.1) 1001, 1005, 1000 (V1.2)
- 1001, 3000, 1005 (V1.22, 1.23)
- 6711 (V1.37)
- 9580 (Lite 1.0, 1.11)
* The consistent files:
- client.exe, server.exe (V1.1, 1.2)
- theef.exe, server.exe, editserver.exe (V1.22, 1.23)
- client137.exe, server137.exe, editserver137.exe (V1.37)
- Client.exe, theefliteserver.exe (Lite 1.0)
- Client_1.11.exe, theefliteserver.exe (Lite 1.11)
With the Theef backdoor, a remote attacker can do the following :
- Get system information
- View/Hide/Kill process
- Key logger
- Get cached, Napster, WinZip password
- Shutdown/Restart/Log off/Force Shutdown system
- Format drive
- Kill firewall, Anti-virus, Trojan Cleaner
- Display messages box, blue screen
- Clear CMOS
- Get favorites
- File management(download, upload, run, read, etc.)
- Edit the server connected(password, port, servername, etc.)
- Delete/Restart/Close server
* References:
http://www.megasecurity.org/trojans/t/theef/Theef_all.html
http://www.tlsecurity.net/backdoor/theef.backdoor.html
http://theef.4-all.org/
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove it from your computer :
* For the version 1.1, 1.2,
1. Remove the "WinLibUpdate" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close libupdate.exe
3. Delete the trojan file libupdate.exe in the windows system directory.
* For the version 1.22, 1.23,
1. Remove the "ProcMon" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close procmon.exe
3. Delete the trojan file procmon.exe in the windows system directory.
* For the version 1.37,
1. Remove the "WinLibUpdate" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close libupdate.exe
3. Delete the trojan file libupdate.exe in the windows system directory.
* For the version LE 1.0,
1. Remove the "WinLibUpdate" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close libupdate.exe
3. Delete the trojan file libupdate.exe in the windows system directory.
* For the version LE 1.11,
1. Remove the "WinLibUpdate" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close libupdate.exe
3. Delete the trojan file libupdate.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
