Content
Backdoor-AOK
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 01/06/2003
- Length
- 55,296 Bytes (UPX packed)
- Minimum DAT
- 4242 (01/11/2003)
- Updated DAT
- 4387 (08/18/2004)
- Minimum Engine
- N/A
- Description Added
- 01/06/2003
- Description Modified
- 01/06/2003 7:33 AM (PT)
Tab Navigation
Characteristics
This backdoor trojan is written in Visual C++. When the server component runs on the victim machine, port 8961 is opened.
In order to hook system startup, modifications are made to the system Registry and the WIN.INI file:
Registry hook:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"SysCtl" = sysctl.exe
and WIN.INI hook:
[windows] "run" = C:\windows\sysctl.exeSymptoms
Existence of the system hooks (Registry and WIN.INI file) detailed above.
Method of Infection
- Infected upon execution.
- File gets executed at startup if file exists in C:\windows
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This backdoor trojan is written in Visual C++. When the server component runs on the victim machine, port 8961 is opened.
In order to hook system startup, modifications are made to the system Registry and the WIN.INI file:
Registry hook:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"SysCtl" = sysctl.exe
and WIN.INI hook:
[windows] "run" = C:\windows\sysctl.exeSymptoms
Symptoms -
Existence of the system hooks (Registry and WIN.INI file) detailed above.
Method of Infection
Method of Infection -
- Infected upon execution.
- File gets executed at startup if file exists in C:\windows
Removal -
Removal -
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
