Content
BackDoor-DIY
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 07/31/2006
- Length
- varies
- Minimum DAT
- 4818 (07/31/2006)
- Updated DAT
- 5438 (11/18/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 07/31/2006
- Description Modified
- 06/07/2007 8:50 PM (PT)
Tab Navigation
Characteristics
Upon execution, the trojan drops itself to the following file:
- %SystemDir%Flashy.exe
- %UserProfile%\Start Menu\Programs\Startup\systemID.pif
It modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flashy Bot" = %SystemDir%Flashy.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt" = 1 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoFolderOptions" = 1 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1
The trojan creates the mutex named "||Flashy||" to ensure only one instance is running. It runs the telnet service by running the following command.
- "net start telnet"
It also runs the following command.
- "user adminitdHator hacked"
Symptoms
Method of Infection
Some variants can copy themselves to the following drives.
- D:
- E:
- F:
- G:
- H:
- I:
- J:
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This trojan is a remote access trojan. There are several variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan. The description is a general guide. Newer variant requires the latest DATs for detection.
Aliases
- Backdoor:Win32/Glupzy.A (Microsoft)
- Trj/Flashy.A (Panda)
- Troj/Glupzy-A (Sophos)
- Trojan.Win32.Disabler.i (Kaspersky)
- Win32/Glupzy.A (CA)
- WORM_FLASHY.B (Trend Micro)
Characteristics
Characteristics -
Upon execution, the trojan drops itself to the following file:
- %SystemDir%Flashy.exe
- %UserProfile%\Start Menu\Programs\Startup\systemID.pif
It modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flashy Bot" = %SystemDir%Flashy.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt" = 1 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoFolderOptions" = 1 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1
The trojan creates the mutex named "||Flashy||" to ensure only one instance is running. It runs the telnet service by running the following command.
- "net start telnet"
It also runs the following command.
- "user adminitdHator hacked"
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Some variants can copy themselves to the following drives.
- D:
- E:
- F:
- G:
- H:
- I:
- J:
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
