Virus Database

Backdoor.Cabrotor.10.a

Description Backdoor.Cabrotor.10.a

Cabrotor is backdoor trojan program (it is a hidden remote control trojan). The trojan itself is a Windows PE EXE file written in Delphi.
The original trojan package contains three main executable files:
CaBrONaToR.exe - client to send commands to remote server
CaBrONeDiT.exe - server editor to modify default server settings
8======D.exe - server (trojan itself)
When run the backdoor code copies itself to the Windows directory and registers itself in the system registry in the auto-run section. In different backdoor versions the backdoor EXE name and registry keys are different. The known variant has:
EXE name:
ASDAPI.EXE
The registry key entries it makes are:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Key name:
LoadPowerProfile
The trojan then opens a connection to its master's IRC channel and waits for its master's commands.
The backdoor program performs following commands:
reports computer info (Windows version, CPU type, UserName, CompanyName e.t.c.)
open/closes CD drive
reports directories and file names in there
runs a local file or executes a command
sends information: RAS, MS Messenger and .NET services
exits Windows - downloads a requested file
performs DoS attack to requested victim address
terminates itself

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Snickers

Description Macro.Word.Snickers

This macro virus contains two macros: autoopen and autoclose. On AutoOpen it infects documents that are loaded into Word. After infection and on AutoClose the virus mixes the characters within current document. It also creates new variable in documents:
snickers=mmmhh

Macro.Word.Socks

Description Macro.Word.Socks

This is a Word macro virus. It contains four macros: AutoOpen, SOK, ToolsMacro (stealth), ToolsCustomize.
The infection routine is placed in SOK macros, which is called by AutoOpen macro on opening a document. The virus does not infect the NORMAL.DOT - it affects the files that are listed in recently used file list.
On September 9 depending on the system random counter it erases the files by using one of masks: *.EXE, *.COM, *.OVL, *.BIN, *.TXT, *.DOC, *.DOT, *.ZIP, *.ASM, *.DLL.

Home