Discussion in 'malware problems & news' started by Randy_Bell, Nov 4, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Symantec Security Response - Backdoor.Neodurk

    Backdoor.Neodurk is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens ports 7673 and 7677. Backdoor.Neodurk is a Delphi application, and it is packed with ASPack v2.001b.

    Also Known As: Backdoor.Neodurk.10 [AVP], New BackDoor2 [McAfee]
    Type: Trojan Horse
    Infection Length: 272,896 bytes
    Systems Affected: Windows 95, Windows 98, Windows ME
    Systems Not Affected: Windows NT, Windows 2000, Windows XP, Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

    technical details

    When Backdoor.Neodurk runs, it performs the following actions:

    It copies itself as C:\Windows\Runapp32.exe.

    It creates the value

    Runapp32 C:\Windows\Runapp32.exe

    in the registry key


    so that the Trojan starts when you start or restart Windows.

    If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process to continue to run after you log off. In this case, Backdoor.Neodurk closes only when the system is shut down.

    In addition, Backdoor.Neodurk attempts to obtain access to the password cache that is stored on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others.

    The Trojan installs hook procedures into a hook chain to monitor the system for any keyboard and mouse input. The keyboard and mouse hook procedures process the input and pass the hook information to the next hook procedure in the current hook chain. This permits Backdoor.Neodurk to intercept keystrokes.

    The Trojan uses email to notify the Trojan client.

    After Backdoor.Neodurk is installed, it waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

    -- Deliver system and network information to the hacker.
    -- Open or close the CD-ROM drive and perform other annoying actions.
    -- Manage the file system of the infected computer.

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Run a full system scan, and delete all files that are detected as Backdoor.Neodurk.
    3. Delete the value

    Runapp32 C:\Windows\Runapp32.exe

    from the registry key


    To delete the value from the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the key


    4. In the right pane, delete the value

    Runapp32 C:\Windows\Runapp32.exe.

    5. Exit the Registry Editor.
Thread Status:
Not open for further replies.