TROJ_QAZ is a Trojan that renames the application
notepad.exe file to
note.com and then copies itself as
notepad.exe
to the Windows folder. This will cause the Trojan to be launched every
time a user runs Notepad. It has a backdoor that a remote user or hacker
can use to connect to and control the computer using port 7597.
TROJ_QAZ also infects the Registry so that it is loaded every time
Windows is started.
Tini is a small and simple
backdoor Trojan for Windows operating systems. It listens on port 7777
and gives a hacker a remote command prompt on the target system. To
connect to a Tini server, the hacker telnets to port 7777.
Donald Dick is a backdoor
Trojan for Windows OSs that allows a hacker full access to a system over
the Internet. The hacker can read, write, delete, or run any program on
the system. Donald Dick also includes a keylogger and a Registry
parser, and can perform functions such as opening or closing the CD-ROM
tray. The attacker uses the client to send commands to the victim
listening on a predefined port. Donald Dick uses default port 23476 or
23477.
NetBus is a Windows GUI Trojan program and is similar in functionality to Donald Dick. It adds the Registry key HKEY_CURRENT_USER\NetBus Server and modifies the HKEY_CURRENT_USER\NetBus Server\General\TCPPort key. If NetBus is configured to start automatically, it adds a Registry entry called NetBus Server Pro in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.
SubSeven is a Trojan that can
be configured to notify a hacker when the infected computer connects to
the Internet and can tell the hacker information about the system. This
notification can be done over an IRC network, by ICQ, or by email.
SubSeven can cause a system to slow down, and generates error messages
on the infected system.
Back Orifice 2000 is a remote
administration tool that an attacker can use to control a system across a
TCP/IP connection using a GUI interface. Back Orifice doesn't appear in
the task list or list of processes, and it copies itself into the
Registry to run every time the computer is started. The filename that it
runs is configurable before it's installed. Back Orifice modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Registry key. BackOrifice plug-ins add features to the BackOrifice
program. Plug-ins include cryptographically strong Triple DES
encryption, a remote desktop with optional mouse and keyboard control,
drag-and-drop encrypted file transfers, Explorer-like file system
browsing, graphical remote Registry editing, reliable UDP and ICMP
communications protocols, and stealth capabilities that are achieved by
using ICMP instead of TCP and UDP.
BoSniffer appears to be a fix for Back Orifice but is actually a Back Orifice server with the SpeakEasy plug-in installed. If BoSniffer.exe, the BoSniffer executable, is run on a target system, it attempts to log on to a predetermined IRC server on channel #BO_OWNED
with a random username. It then proceeds to announce its IP address and
a custom message every few minutes so that the hacker community can use
this system as a zombie for future attacks.
ComputerSpy Key Logger is a
program that a hacker can use to record computer activities on a
computer, such as websites visited; logins and passwords for ICQ, MSN,
AOL, AIM, and Yahoo! Messenger or webmail; current applications that are
running or executed; Internet chats; and email. The program can even
take snapshots of the entire Windows desktop at set intervals.
Beast is a Trojan that runs in the memory allocated for the WinLogon.exe
service. Once installed, the program inserts itself into Windows
Explorer or Internet Explorer. One of Beast's most distinct features is
that it's an all-in-one Trojan, meaning the client, the server, and the
server editor are stored in the same application.
CyberSpy is a telnet Trojan
that copies itself into the Windows system directory and registers
itself in the system Registry so that it starts each time an infected
system is rebooted. Once this is done, it sends a notice via email or
ICQ and then begins to listen to a previously specified TCP/IP port.
Subroot is a remote administration Trojan that a hacker can use to connect to a victim system on TCP port 1700.
LetMeRule! is a remote access
Trojan that can be configured to listen on any port on a target system.
It includes a command prompt that an attacker uses to control the target
system. It can delete all files in a specific director, execute files
at the remote host, or view and modify the Registry.
Firekiller 2000 disables
antivirus programs and software firewalls. For instance, if Norton
AntiVirus is in auto scan mode in the Taskbar, and AtGuard Firewall is
activated, the program stops both on execution and makes the
installations of both unusable on the hard drive. They must then be
reinstalled to restore their functionality. Firekiller 2000 works with
all major protection software, including AtGuard, Norton AntiVirus, and
McAfee Antivirus.
The Hard Drive Killer Pro
programs offer the ability to fully and permanently destroy all data on
any given DOS or Windows system. The program, once executed, deletes
files and infects and reboots the system within a few seconds. After
rebooting, all hard drives attached to the system are formatted in an
unrecoverable manner within only one to two seconds, regardless of the
size of the hard drive.
