The backdoor places a server on TCP ports 17499 and 17500, which allows a remote client to connect and perform dozens of functions:retrieve cached password, manipulate the current Windows session, modify and retrieve system settings, log all keystrokes, upload, download and execute arbitrary files
Affected Application
Microsoft Corporation: Windows 95, 98, 98 Second Edition
Solution
- Delete the server file Registry32.exe and or server.exe, to do this you will need a program capable of killing running processes or reboot into dos mode and delete in dos. - Open up regedit (go to start, run, type regedit and hit ok) and follow this path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - Now look for the following value "Reg32" right click and choose delete. - Also follow this path HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run And delete the same value if found. - Now open up system.ini (click on run and type system.ini) and look for the following line: shell=Explorer.exe Registry32.exe - Change this entry to read shell=Explorer.exe - Close and save changes - Now open up win.ini the same way and look for the following line: run=Registry32.exe - Change that line to read run= - Close win.ini and save changes - Now delete the following files: c:\winstart.bat Size: 27 bytes c:\WINDOWS\Registry32.exe Size: 333,368 bytes c:\WINDOWS\COMMAND\pkzip.exe Size: 42,552 bytes c:\WINDOWS\TEMP\~DF127D.TMP Size: 1,536 bytes
