Content
Tool-ByShell
- Type
- Program
- SubType
- Tool
- Discovery Date
- 03/01/2005
- Minimum DAT
- 4436 (03/01/2005)
- Updated DAT
- 5160 (11/09/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 03/01/2005
- Description Modified
- 12/20/2005 7:07 AM (PT)
Tab Navigation
Characteristics
This description covers various different versions of this application. The different versions we have received are often different in size and even in behaviour.
Typically, these are console applications and don't have a GUIs (Graphical User Interfaces).
Once executed the application prompts the user to enter the "server IP address" to connect to and in some cases a password to use. The default password is "by".
This application can allow remote access into the compromised machine.
We are yet to see a version which attempts to modify the compromised machine in such a way to ensure it is started again at system startup.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
1.Disable System Restore (Windows ME/XP only).
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.
Aliases
Aliases
-
N/A