Digos Community Forums

Home­Portal­FAQ­Search­Register­Memberlist­Usergroups­Log in
Post new topic   Reply to topicDigos Community Forums :: Viruses :: Mga Virus!Share | 
 

 Backdoor.Ranky.X

View previous topic View next topic Go down 
AuthorMessage
wenzy18
Admin
Admin


Posts: 107
Join date: 2008-02-21
Age: 19
Location: Digos City

PostSubject: Backdoor.Ranky.X   Sun Mar 02, 2008 7:38 pm
Discovered: August 14, 2006
Updated: February 13, 2007 12:58:14 PM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Backdoor.Ranky.X is executed, it performs the following actions:

1. Creates one of the following files:

%Windir%\nrcs.exe
%Windir%\mapping\svchost.exe
%Windir%\security\svchost.exe
%Windir%\config\svchost.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. May create the following service, which points to one of the above files:

cfgBackupSvc

3. Adds one of the following values:

"Microsoft (R) Windows Vista/NT Runtime Compatibility Service" = "%Windir%\nrcs.exe"
"Microsoft (R) Windows Configuration Backup Service" = "c:\WINDOWS\config\svchost.exe"
"Microsoft (R) Windows Configuration Backup Service" = "c:\WINDOWS\mapping\svchost.exe"
"Microsoft (R) Windows Configuration Backup Service" = "c:\WINDOWS\security\svchost.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Adds one of the following values:

"c:\WINDOWS\config\svchost.exe" = "%Windir%\mapping\svchost.exe:*:Microsoft (R) Windows Configuration Backup Service"
"c:\WINDOWS\config\svchost.exe" = "%Windir%\security\svchost.exe:*:Microsoft (R) Windows Configuration Backup Service"
"c:\WINDOWS\config\svchost.exe" = %Windir%\config\svchost.exe:*:Microsoft (R) Windows Configuration Backup Service"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

5. Adds one of the following values:

"Shell" = "Explorer.exe c:\WINDOWS\config\svchost.exe"
"Shell" = "Explorer.exe c:\WINDOWS\mapping\svchost.exe"
"Shell" = "Explorer.exe c:\WINDOWS\security\svchost.exe"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

6. Modifies one of the following values:

"Userinit" = "C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\config\svchost.exe"
"Userinit" = "C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\mapping\svchost.exe"
"Userinit" = "C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\security\svchost.exe"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

7. Modifies the value:

"DisableSR" = "1"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

8. Modifies the value:

"SFCDisable" = "4"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

9. Modifies the value:

"Start" = "4"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess

10. Modifies the values:

"Hidden" = "0"
"ShowSuperHidden"

in the following registry subkey:

HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

11. Adds the value:

"Shell" = "%Windir%\nrcs.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

12. Deletes all entries from the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

13. Creates the following subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntrcs

14. Creates the mutex named "WVNRCS32_Class_", so that only one instance of the threat runs on the compromised computer.

15. Contacts the following server with an infection notification:

yu.haxx.biz

16. Connects to the following server on TCP port 25:

mxs.mail.ru

17. Acts as a proxy server, sending any information received from the mxs.mail.ru server to the attacker, and vice versa.

18. May attempt to delete some registry values in order to prevent certain applications from running.

19. Opens a back door on a random TCP port on the compromised computer.
Back to top Go down
View user profile http://digosforumz.co.nr
MortalGod
Power User
Power User


Posts: 10
Join date: 2008-03-04
Age: 20

PostSubject: Re: Backdoor.Ranky.X   Thu Jun 26, 2008 7:48 pm
wow... Nice one backdoor virus cge atach nako ni sa mga Image... wahehhehe
Back to top Go down
View user profile
 

Backdoor.Ranky.X

View previous topic View next topic Back to top 
Page 1 of 1

Permissions of this forum:You can reply to topics in this forum
Digos Community Forums :: Viruses :: Mga Virus!-
Post new topic   Reply to topic