| Description:
|
Details
Backdoor.TheThing
This text was written by Peter Szor, Data Fellows Ltd
This backdoor copies itself with the EXPIORE.EXE name to the Windows directory and with the name of RUNDLI.EXE to the Windowssystem directory. It then modifies the SYSTEM.INI "shell" section to execute the program each time when Windows starts up, or the registry run field.
When executed, it tries to connect to wnp.icq.com with a user id of 111138. This id is owned by a hacker now calling himself "Of Hacker Anarchy Warrior". TheThing sends a message to him, and in this way, the hacker can see that the program is used on the actual machine. Then the local program starts to listen, therefore, the hacker can start to communicate and get information from that particular machine.
To remove it, someone has to delete this file and the RUNDLI.EXE from the system directory and fix the SYSTEM.INI shell section to remove the executed EXPIORE.EXE from there/or from the RUN field of the registry. |
