Content
Parlay
- Type
- Trojan
- SubType
- -
- Discovery Date
- 10/08/2003
- Length
- Varies
- Minimum DAT
- 4297 (10/08/2003)
- Updated DAT
- 4297 (10/08/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 11/18/2003
- Description Modified
- 11/18/2003 4:47 PM (PT)
Tab Navigation
Characteristics
This detection is for a remote proxy trojan. That allows the remote hacker to connect to other systems via the compromised system and so obscure his tracks when either hacking into or attacking a another system.
Installation
Upon execution, the trojan installs itself into the %Sys32Dir% directory as REALUPD.EXE.
(Where %Sys32dir% is the Windows System32 directory, for example C:\WINDOWS\SYSTEM32)For example:
C:\WINDOWS\SYSTEM32\REALUPD.EXE
The following Registry key(s) is/are added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Real Player Updater" = "%Sys32Dir%\realupd.exe"
Functionality
Once running on the victim machine, the server component opens a random high numbered socket (above 1024) to accept remote connections. The trojan also attempts to connect to an specific IP address in order to upload the IP address and port number of the compromised system to allow the hacker to know which port to use to connect to the compromised system. At this time this IP address is not accessable.
Symptoms
- A port number above 1024 open and listening
- Existence of the files/Registry keys detailed above
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. This trojan uses an additional file containing a VBS script to install the trojan from the initial location to the %Sys32Dir% folder. This script is detected as VBS/Parlay trojan.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- VBS/Parlay
Characteristics
Characteristics -
This detection is for a remote proxy trojan. That allows the remote hacker to connect to other systems via the compromised system and so obscure his tracks when either hacking into or attacking a another system.
Installation
Upon execution, the trojan installs itself into the %Sys32Dir% directory as REALUPD.EXE.
(Where %Sys32dir% is the Windows System32 directory, for example C:\WINDOWS\SYSTEM32)For example:
C:\WINDOWS\SYSTEM32\REALUPD.EXE
The following Registry key(s) is/are added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Real Player Updater" = "%Sys32Dir%\realupd.exe"
Functionality
Once running on the victim machine, the server component opens a random high numbered socket (above 1024) to accept remote connections. The trojan also attempts to connect to an specific IP address in order to upload the IP address and port number of the compromised system to allow the hacker to know which port to use to connect to the compromised system. At this time this IP address is not accessable.
Symptoms
Symptoms -
- A port number above 1024 open and listening
- Existence of the files/Registry keys detailed above
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. This trojan uses an additional file containing a VBS script to install the trojan from the initial location to the %Sys32Dir% folder. This script is detected as VBS/Parlay trojan.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
