Backdoor.Ripjac

Discussion in 'malware problems & news' started by Randy_Bell, Nov 22, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - Backdoor.Ripjac

    Backdoor.Ripjac is a backdoor Trojan that allows a hacker to gain access to the infected computer. The presence of the file Synchost.exe is an indication of a possible infection. By default, the Trojan opens port 4999 to allow the hacker to remotely control the infected computer.

    Type: Trojan Horse
    Infection Length: 602,112 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, Unix, Linux

    technical details

    When Backdoor.Ripjac runs, it does the following:

    It copies itself as C:\%windir%\Synchost.exe.

    NOTE: %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

    It adds the value

    Remote Access Slave C:\%windir%\Synchost.exe

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Trojan runs when you start Windows.

    By default, the Trojan opens port 4999 to allow the hacker to remotely control the infected computer.

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    • 1. Update the virus definitions.
      2. Run a full system scan, and delete all files that are detected as Backdoor.Ripjac.
      3. Delete the value

      Remote Access Slave C:\%windir%\Synchost.exe

      from the registry key

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    To delete the value that the Trojan added to the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.


    • 1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the key

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      4. In the right pane, delete the value

      Remote Access Slave C:\%windir%\Synchost.exe

      5. Exit the Registry Editor.
     
Thread Status:
Not open for further replies.