 |
|
Girlfriend
|
1.Impact:
Possible theft of data and control of the targeted machine
leading to a compromise of all resources the machine is
connected to. This Trojan also has the ability to delete data,
steal passwords and disable the machine.
2.Detailed Information:
This Trojan affects the following operating systems:
Windows 95
Windows 98
Windows ME
Windows NT
Windows 2000
Windows XP
No other systems are affected. This is a windows exceutable that
makes changes to the system registry. When first executed the
Trojan replicates itself and in most cases, gives the copy the
name Windll.exe. This file is located in the <drive>:\windows\
directory.
The Trojan server opens port 21554 by default. This port may be
changed by the attacker's client after initial connection.
3.Attack Scenarios:
This Trojan may be delivered to the target in a number of
ways. This event is indicative of an existing infection being
activated. Initial compromise can be in the form of a Win32
installation program that may use the extension ".jpg" or ".bmp"
when delivered via e-mail for example.
4.Ease of Attack:
This is Trojan activity, the target machine may already be
compromised. Updated virus definition files are essential in
detecting this Trojan.
5.Corrective Action:
Edit the system registry to remove the extra keys or restore a
previously known good copy of the registry.
Affected registry keys are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Registry keys added:
Windll.exe
Removal of the file Windll.exe is required. Also end the process
Windll.exe.
A machine reboot may be required to clear the existing process
from running in memory. |
|
