Virus Database

Backdoor.G_Door.20

Description Backdoor.G_Door.20

This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Installation
When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_CLASSES_ROOT xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
[HKEY_LOCAL_MACHINESoftwareCLASSES xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
The name of the Windows system directory (here it is "C:\WIN98SYSTEM") depends on system configuration.
As a result of such a registration in the system registry, the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way, the server starts on Windows start-up, and restarts if its process is unloaded from the system memory by a user.
Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.
As a result, the backdoor server-removal procedure is not a simple problem: it is impossible to remove or rename the KERNEL32.EXE backdoor server file (it is active and locked by the system); the registry keys are controlled by the server (this makes it impossible to reboot the system with a "clear" registry).
Under Win9x, to get rid of this backdoor, it is possible to boot a computer in DOS mode and remove the KERNEL32.EXE file from the Windows system directory, and after booting Windows, it is necessary to remove references to this file in the system registry. Under WinNT, it is necessary to kill the backdoor's process in Windows memory, then delete the server EXE file and clear the system registry keys.
Server
To connect to the client component, the backdoor server uses the port 7626 and periodically listens to it. When the server is connected with a client, it executes client commands and takes control over the victim computer: manipulates a victim's file system - copies files, moves, deletes, creates, etc.
Client
The client is able to scan an adjusted subnet for active servers. On connection to a server, the client gains control over a victim computer's resources. The client GUI is adapted to Chinese.

Check other viruses! Be aware! Use Antiviral Software

DoomMbr.406

Description DoomMbr.406

It is not a dangerous memory resident multipartite virus. It contains the text: "DOOM". It infects the MBR of the hard drive, boot sector on floppy disks, COM and EXE files. When an infected file is executed the virus infects the MBR of the hard drive and returns to the host program. While loading from infected disk the virus hooks INT 13h, waits for DOS loading process and hooks INT 21h. The virus then overwrites boot sector on floppy disks that are accessed. It also writes itself to the end of COM and EXE files when data&time stamp for these files is set (while copying to new files, for example).

Doomsday.715

Description Doomsday.715

These are not memory resident dangerous encrypted parasitic viruses which search for a .COM-files of a current directory and infect them by a standard manner. They contain the texts:
*.com
A scion to none
Certainly no fun
Total destruction when done
Introducing DOOMSDAY ONE
Written in Orlando, FL on 05/13/91

Sometimes they encrypt the contents of the logical sectors of the current disk and type:
Your disk is dead!
Long live DOOMSDAY 1.0

Home