Backdoor.NetDevil
Discovered on: February 13, 2002
Last Updated on: February 13, 2002 at 10:49:01 AM PST


Backdoor.NetDevil allows a hacker to remotely control an infected computer.


Type: Trojan Horse


Threat Assessment:


Wild: Low
Damage: High
Distribution: Low

Payload Trigger: Running Backdoor.NetDevil
Payload:
Releases confidential info: Keystrokes can be logged and sent to the hacker
Compromises security settings: Allows unauthorized access to the compromized computer

Technical description:


When Backdoor.NetDevil is run, it does the following:

It copies itself to the %System% folder. The file name that it uses may vary, because the hacker who creates this Backdoor Trojan can choose any desired file name.

NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds a value that refers to the dropped file to one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

When the hacker creates the BackDoor.NetDevil server file, there are many functions that can be added. For example, it can be programmed to:

Display a fake error message to conceal its true nature.
Choose the ports that are used by the backdoor to communicate with the hacker. By default, it uses port 901 for direct control, port 902 for communicating logged key strokes, and port 903 for file transfer.
Use different notification methods to send information to the hacker about the compromised computer.
Attempt to kill running firewall and antivirus processes.

If Backdoor.NetDevil is run, it allows the hacker to remotely take control over the compromised computer, and can include:
Full control over the file system
Upload to and download from the host computer
Run files of the hacker's choice
Kill running processes
Display messages
View the screen
Log key strokes
Annoying actions, such as manipulate the mouse, open and close the CD-ROM drive, turn the monitor on and off, and so on.


Additional information:

Possible system changes
If the Trojan was run and a hacker executed files on the computer, it may be difficult to determine exactly what was done, even after you remove the Trojan. If you are familiar with your operating system and how to use system repair or system checking tools, we suggest that you fully check the system for any of these modifications and undo them. Otherwise, consider reinstalling the Windows operating system.