February 14th, 2002, 12:03 AM
High Risk Trojan Alert - Backdoor.NetDevil
Discovered on: February 13, 2002
Last Updated on: February 13, 2002 at 10:49:01 AM PST
Backdoor.NetDevil allows a hacker to remotely control an infected computer.
Type: Trojan Horse
Payload Trigger: Running Backdoor.NetDevil
Releases confidential info: Keystrokes can be logged and sent to the hacker
Compromises security settings: Allows unauthorized access to the compromized computer
When Backdoor.NetDevil is run, it does the following:
It copies itself to the %System% folder. The file name that it uses may vary, because the hacker who creates this Backdoor Trojan can choose any desired file name.
NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds a value that refers to the dropped file to one of the following registry keys:
When the hacker creates the BackDoor.NetDevil server file, there are many functions that can be added. For example, it can be programmed to:
Display a fake error message to conceal its true nature.
Choose the ports that are used by the backdoor to communicate with the hacker. By default, it uses port 901 for direct control, port 902 for communicating logged key strokes, and port 903 for file transfer.
Use different notification methods to send information to the hacker about the compromised computer.
Attempt to kill running firewall and antivirus processes.
If Backdoor.NetDevil is run, it allows the hacker to remotely take control over the compromised computer, and can include:
Full control over the file system
Upload to and download from the host computer
Run files of the hacker's choice
Kill running processes
View the screen
Log key strokes
Annoying actions, such as manipulate the mouse, open and close the CD-ROM drive, turn the monitor on and off, and so on.
Possible system changes
If the Trojan was run and a hacker executed files on the computer, it may be difficult to determine exactly what was done, even after you remove the Trojan. If you are familiar with your operating system and how to use system repair or system checking tools, we suggest that you fully check the system for any of these modifications and undo them. Otherwise, consider reinstalling the Windows operating system.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
February 14th, 2002, 12:13 AM
Very good to know. Time for everyone to update there virus software.
LAMO nice signature
February 14th, 2002, 12:23 AM
Just another wannabe RAT to cause more problems with the newbies.
Do i feel this will go any further? no cause its just like netbus... lame and already out done by other programers.
sub7 is the one u have to look out for because of how widely it is used and how easy it is 2 edit and asuch.
But even sub7 isnt used much anymore.. mainly trojans like litmus, XOT, SD bot and others are mainly used these days but thier just pretty much for DDoS and some simple task.
[shadow]i have a herd of 1337 sheep[/shadow]
Worth should be judged on quality... Not apperance... Anyone can sell you **** inside a pretty box.. The only real gift then is the box..
February 19th, 2004, 10:51 PM
NO I had not heard of that one, thank you for the update.