Troj/Tunnel-A ; Aliases: Backdoor.Checkesp

#1 June 4th, 2003, 04:24 PM

http://www.sophos.com/virusinfo/anal...ojtunnela.html

Description
Troj/Tunnel-A is a backdoor Trojan. When the Trojan is first executed a copy will be created in the system folder with the filename sys64.exe and the following registry entry will be created so that the Trojan is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tunelling = sys64.exe

Troj/Tunnel-A begins by connecting to a site run by the attacker to inform them that the computer has been compromised. The Trojan will then listen for commands from the attacker.

The Trojan also listens on port 80, the default HTTP port, and redirects network traffic on that port to the attacker.

Longthing · #2 June 4th, 2003, 05:29 PM

Got already a sample here.

#3 June 4th, 2003, 07:30 PM

Quote:

quoting: Longthing link=board=30;threadid=9910;start=0#msg64595 date=1054762160]
Got already a sample here.

Hi Jan,
I hope you could get rid of it !

Cheers, Jan.

Longthing · #4 June 5th, 2003, 12:51 AM

No problem. Didn't execute it.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search