| VID |
24066 |
| Severity |
40 |
| Port |
7614 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The Backdoor.Wolf is detected on the relevant Windows system.
Backdoor Wollf is a Backdoor Trojan Horse that is written in Microsoft Visual C++. It installs itself as a server and allows unauthorized access to an infected computer using the TCP port 33333 or 7614. Once Backdoor Wollf is installed, the string value (WININIT.EXE or WRM.EXE or WGUI.EXE or WOLLF.EXE) is added on to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
An attacker can do the following using this Backdoor
- Remotely execute commands
- Retrieve system information
- View and kill running processes
- Upload and download files
- Gain telnet and FTP access
- Log keystrokes
* References:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.wollf.16.html
http://www.rapter.net/jm4.htm
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove it from the infected computer by using a anti-virus program (vaccine program).
-- OR --
Remove the backdoor manually by performing the following steps:
1. Terminate the running backdoor process from memory.
1) Press CTRL+SHIFT+ESC, then click Windows Task Manager, and click the Processes tab.
2) In the list of running programs, locate the backdoor's process.
3) Select the backdoor's process, then click the the End Process button.
4) Close Task Manager.
NOTE: If you were not able to terminate the backdoor process from memory as described in the previous procedure, restart your system.
2. Remove Autostart entries from the registry prevents the backdoor from executing during startup.
1) Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2) In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
3) In the right panel, locate and delete the entry:
"WININIT.EXE or WRM.EXE or WGUI.EXE or WOLLF.EXE"
4) Close Registry Editor. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
