Backdoor.Neodurk

Symantec Security Response - Backdoor.Neodurk

Backdoor.Neodurk is a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens ports 7673 and 7677. Backdoor.Neodurk is a Delphi application, and it is packed with ASPack v2.001b.

Also Known As: Backdoor.Neodurk.10 [AVP], New BackDoor2 [McAfee]
Type: Trojan Horse
Infection Length: 272,896 bytes
Systems Affected: Windows 95, Windows 98, Windows ME
Systems Not Affected: Windows NT, Windows 2000, Windows XP, Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

technical details

When Backdoor.Neodurk runs, it performs the following actions:

It copies itself as C:\Windows\Runapp32.exe.

It creates the value

Runapp32 C:\Windows\Runapp32.exe

in the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start or restart Windows.

If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process to continue to run after you log off. In this case, Backdoor.Neodurk closes only when the system is shut down.

In addition, Backdoor.Neodurk attempts to obtain access to the password cache that is stored on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others.

The Trojan installs hook procedures into a hook chain to monitor the system for any keyboard and mouse input. The keyboard and mouse hook procedures process the input and pass the hook information to the next hook procedure in the current hook chain. This permits Backdoor.Neodurk to intercept keystrokes.

The Trojan uses email to notify the Trojan client.

After Backdoor.Neodurk is installed, it waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

-- Deliver system and network information to the hacker.
-- Open or close the CD-ROM drive and perform other annoying actions.
-- Manage the file system of the infected computer.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as Backdoor.Neodurk.
3. Delete the value

Runapp32 C:\Windows\Runapp32.exe

from the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To delete the value from the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value

Runapp32 C:\Windows\Runapp32.exe.

5. Exit the Registry Editor.