Troj/Tunnel-A ; Aliases: Backdoor.Checkesp

Discussion in 'malware problems & news' started by FanJ, Jun 4, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    http://www.sophos.com/virusinfo/analyses/trojtunnela.html

    Description
    Troj/Tunnel-A is a backdoor Trojan. When the Trojan is first executed a copy will be created in the system folder with the filename sys64.exe and the following registry entry will be created so that the Trojan is run when Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tunelling = sys64.exe

    Troj/Tunnel-A begins by connecting to a site run by the attacker to inform them that the computer has been compromised. The Trojan will then listen for commands from the attacker.

    The Trojan also listens on port 80, the default HTTP port, and redirects network traffic on that port to the attacker.
     
  2. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    Got already a sample here.
     
  3. FanJ

    FanJ Guest

    Hi Jan,
    I hope you could get rid of it !

    Cheers, Jan.
     
  4. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    No problem. Didn't execute it. :)
     
Thread Status:
Not open for further replies.