title image

Smiley Re: Backdoor-g1 Was ist das ???? und wie kann ich mich/PC schützen
IP Address = pec-138-195.tnt8.hh2.uunet.dedomain: uunet.dedescr: UUNET Deutschland GmbHdescr: Sebrathweg 20descr: D-44149 Dortmunddescr: DEadmin-c: MB11-RIPEtech-c: HE15-RIPEzone-c: HE15-RIPEnserver: auth00.ns.de.uu.netnserver: auth50.ns.de.uu.netmnt-by: DE-DOMchanged: hostmaster@denic.de 19991209source: RIPEBackdoor Type: Client/ServerCreated: August 17, 1999Modified: June 07, 2000Variants: 16The Basics of SubSeven (aka Sub7 or Backdoor_G)SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and can be a bit tricky to remove. This is because the server portion can be configured to rerun itself automatically from any of four places each time the system has been rebooted. The trojan also has two files that can be configured with any name.As mentioned above and although the server portion can have any name, it's found in the WINDOWS directory, with one of the following:"server.exe" (328kb)"rundll16.exe" (328kb)"systray.dl" (328kb)"Task_bar.exe" (328kb)The second file is found in the WINDOWS\SYSTEM directory, with one of the following:"FAVPNMCFEE.dll" (35kb)"MVOKH_32.dll" (35kb)"nodll.exe" (35kb)"watching.dll" (35kb)If you've encountered any names other than the above, please send me an so I can include them.TCP Ports 6711 and 6776 are used by default, but there's a third TCP port which is the port used in the establishment of the connection between the "client" and "server". This third TCP port can be configured to be anything, although it's commonly seen as TCP port 1243 or TCP port 1999 .As mentioned above, the server portion of the trojan can be configured by the hacker to rerun itself everytime the system is rebooted due to an entry in one of the four locations. Provided below, are the four locations.The first, is an entry on the "shell=" line in the SYSTEM.INI file.The second, is an entry on the "load=" or "run=" line in the WIN.INI file.The third, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"The fourth, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"NOTE: Of the systems compromised with SubSeven, it's often found to be the first location.Who's Responsible?SubSeven was written by an individual known as MobMan.Informationen über verschiedene Firewalls findest Du weiter unter im Forum mitentsprechenden Links.Gruss Janus

geschrieben von




Beitrag anfügen