Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:BackDoor-CEB.c
Type:Backdoor 
Size:234,496 bytes 
Origin: 
Date:09-09-2004 
Damage:Spreads using different IRC servers. 
VDF Version:6.27.00.52 
Danger:Medium 
Distribution:Low 

General DescriptionAffected systems:
Windows NT, Windows 2000, Windows XP, Windows Server 2003

Technical DetailsThis backdoor Trojan is dropped by the email worm Mydoom.U.
When activated, it makes the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx32cxel]

It creates two copies in the following directories:
%STARTUP%\dx32cpl.exe
%sysdir%\dx32cpl.exe

The following files are created also:
%sysdir%\dx32cxel.sys (4096 bytes)
%sysdir%\dx32cxconf.ini (17 bytes)
%sysdir%\SVKP.SYS (2368 bytes)

The 'hosts' file is modified, so that the websites of many antivirus providers can not be accessed. The 'hosts' file is usually:
%sysdir%\drivers\etc\hosts

The following IP addresses are contacted:
62.241.53.2
211.233.41.235
81.23.250.167
193.19.227.24
66.98.192.99
207.44.222.47
213.158.119.104
207.44.206.27
62.241.53.4
216.127.94.107
67.15.18.45
62.241.53.15
64.246.54.12
62.241.53.16
211.214.161.107
67.15.18.57
66.98.144.100
69.50.187.210
66.111.43.80
212.199.125.36
66.90.68.2
62.241.53.17
69.50.228.50
81.23.250.169
69.57.132.8
64.246.18.98
218.78.211.62
207.44.142.33
64.246.16.11
205.209.176.220
80.64.179.46
65.75.161.70

The above registry entry ensures that the file 'dx32cxel.sys' starts as service. When it starts, it will hide active processes and files from the user.

The following message appears, if there are any active monitoring programs, such as Filemon or Regmon:
"Application cannot be run with debugger or monitoring tool(s) loaded!
Please unload it and restart the application."

Manual Remove InstructionsTo remove the backdoor Trojan, the following registry entry has to be deleted:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\dx32cxel]
After restarting Windows, the above mentioned files must be deleted.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.