Sorry about that, it's a joke. No harm done.
A hundred times I warned my sons to not open any exe extension send through internet connection.
No problem we don't do it.
So one of my sons was online in a chat program downloading an execute file from a friend. When the exe was activated, nothing happened. After a while the printer was printing some text, funny stuff, CD-rom was opened and closed.
I know directly that a server patch was installed. Immediately a disconnection from the internet and searching for something.
File MSREXE.EXE was found in Windows\System.
File was moved to an other directory.
In WIN.INI a run=MSREXE.EXE was created.
Looking on the internet for information I found it was a SubSeven Backdoor tool, a trojan.
SubSeven can do everything that NetBus can do. This includes things such as
- File controls
- Erase harddrives and other disks
- Execute programs
- Upload / Download
- Copy, Delete, Move, Rename
- Monitoring
- Can see your screen as you see it
- Log any/all keypresses (even hidden passwords)
- Move mouse
- Open/close/move windows
- Network control
- Can close connections
- Can see all open connections to and from your computer
- Can 'bounce' or relay from their system to yours, so wherever they connect it seems as if You are doing it. This is how they prevent getting caught breaking into other computer systems and get You in trouble!
Name : Backdoor-G, Backdoor-G2.svr.21
Alias: Sub7, Subseven, Backdoor-G2, Backdoor-G2.gen, Backdoor-G2.svr.20, Subseven v2.0 , v2.1, v2.1 Gold
Variants: Backdoor-G, Backdoor-G.svr
It is a Windows 9x internet Backdoor trojan.
By default the trojan use TCP port 27374 but is configurable by the program. (Using a firewall you'll be surprised how many scans you have daily on that port. On port 27374, 28431, 47624, )
When running it gives unlimited access to the system ( your computer) to anyone running the appropriate client software. You are the server at that moment.
The trojan installs 3 files, in Windows and Windows\System.
The main exe is installed in the Windows folder
(NoName.exe, the filename can be changed by the Trojan's configuration program).
It is used to load the main trojan server.
This is found in the run line of WIN.INI Run= MSREXE.EXE
In HKEY_CLASSES_ROOT a key .dl was created.
Removal
On the Windows taskbar, click Start and then Run.
Type regedit (for W9x) or regedt32 (for Windows NT), enter
Modify the following Registry value, key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command\
In this key it should contain only this value "%1" %* and nothing else.
Change "mueexe.exe "%1" %*" to ""%1" %*"
Don't forget the space between " and %. ("%1"spacebar%*)
HKEY_CLASSES_ROOT\.dl
Delete this key ( directory), .dl is running like a .exe, is a created key (dir) by the trojan.
Delete Windows\System\MSREXE.exe file.
Edit WIN.INI and remove the run=line reference to the trojan (run=MSREXE.exe), mostly used by backdoors.
Optional check ?:
1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete any keys that runs the main trojan
2. Edit SYSTEM.INI and remove the shell=line reference to the trojan. It should only contain the Explorer.exe file.
3.Check the C:\WINDOWS\START_MENU\PROGRAMS\STARTUP folder.
Server patch is installed here, delete it. Program was uploaded true FTP and tries to install itself the next time your start the computer.
4. Restart your computer.
Finished.
Depending the variant of the Backdoor-G, files could be created like:
NODLL.exe (main Trojan), RUN.exe, WINDOWS.exe, WINDOW.exe, SERVER.exe, KERNEL16.dl (.dl and not .dll),
WATCHING.dll or LMDRK_33.dll (in Windows\System),
MUEEXE.exe (mueexe.exe causes the operation system to run the load program every time an exe file is started),
Backdoor-G.dll (server program to monitor internet connections client),
BackDoor-G.cli and BackDoor-G.cfg (filenames can be changed)
For more info see at, not yet....in construction.
Save Computing : be suspicious of .exe, .shs, MS Word and MS Excel file attachments.
Don't move your cursor here
Why not ??
I said so.
Don't do it.
Text found on a site :
"Does your friend know that naughty programs like TROJANS do exist in this world ? If he doesn't know that , he 's a loser straight away. Configure your server , bind it with a game or some exe file and give it to him .He's sure gonna run it *LOL ;-) "
Note : There are programs that binds 2 exe to one exe. You start a game.exe and a second .exe is also started but you don't see it. You get infected and become a server. Nice isn't it.Text found on a site :
"The computer will become a FTP server whenever he's online. So it acts as a backdoor for uploading new trojans even if you have lost access to his computer through your trojan. But you have to remember one thing that since this program opens up the victim's computer as a FTP server , he's open to the whole everybody who knows that his FTP port is open.
Another piece of information I would like to add is that this FTP Server opens up at default FTP port i.e Port 21 and there is NO Login/Password for it (I mean it automatically logs in as "Anonymous", you don't have to make any changes in your FTP Client) and you CANNOT change the PORT. So be very careful while using this unless you want the victim's computer to become a trojan playground."
Note : With this program you make the victim's computer a FTP server on Port 21. Nice.
|
Neworder. The resource for people to help avoid being hacked, security and exploiting related files and links. |
Download this full trial version from AVP, see at Trial Versions
Anti Virus
Experts: Your First, Last, and Only Line of Defense
Download the free firewall Zone Alarm
 |
Netbus-BackOrifice
| Subseven- Backdoor-G
Site map | Internet Explorer
| email | Backdoors
| PC | Macro Warning
| Virus Warning
HomePage | Overview Pages
Calpe-Spain | Entertainment
| Favorite | Hockey | Reefaquarium |
Virus | Waterdog
