http://xforce.iss.net/alerts/advise30.php3 ISS Security Alert July 6, 1999 Windows Backdoor Update III Introduction: Internet Security Systems (ISS) X-Force is issuing the third of our quarterly updates on backdoors for Windows 95, 98, and NT. Because of the number of backdoors mentioned in this advisory, there is only a brief description of each backdoor's features and communications protocol. Instead, this update will focus on detection and removal information. This update contains information on DeepThroat 1, 2 and 3, NetSphere 1.30, GateCrasher 1.2, Portal of Doom, GirlFriend 1.3, Hack'a'Tack, EvilFTP, phAse Zero, ExploreZip.worm, and SubSeven. ISS X-Force would like to remind you to not run any executables you receive in e-mail, over IRC or ICQ, or via any other means of Internet-based communications. Users should be alert to the common symptoms of being backdoored, such as having your CD-ROM drive opening and closing, web browsers starting for no reason, applications running when you didn't start them, and other unexpected behavior. DeepThroat (versions 1, 2 and 3): The DeepThroat backdoor allows a remote attacker to execute programs on your machine, open a web browser to a URL, open/close your CD-ROM drive, start and stop an FTP server on your machine, send you message boxes, and steal your passwords. DeepThroat version 1 only works on Windows 95 and 98 machines, but versions 2 and 3 will run on Windows NT. DeepThroat is a backdoor that operates on UDP port 2140. All three versions that are currently released use the same protocol: DeepThroat sends a UDP packet with a 2 byte command code, and the server sends back a response. For a 'ping' packet, the UDP packet's data is "00". To test if any version of DeepThroat is running on a machine, send a UDP packet to port 2140 that contains the data "00". Depending on which version of DeepThroat is running, you will get one of three responses: For version 1: - --Ahhhhhhhhhh My Mouth Is Open XFORCE (In this example, XFORCE is the NetBIOS name of the machine) For version 2: ISS X-Force - Ahhhhh My Mouth Is Open (v2) (In this example, 'ISS X-Force' is Windows' registered user's name) For version 3: ISS X-Force - Ahhhhh My Mouth Is Open (v3.0) (In this example, 'ISS X-Force' is Windows' registered user's name) If you see UDP ports 2140 and 3150 open when you run 'netstat -a', then you are probably infected with one of the DeepThroat backdoors. To remove DeepThroat v1.0 from your computer, use Regedit to find the value named "SystemDLL32" in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. The value's data is the path of the file. Windows 95 or 98 users should remember the file's path and boot your machine into MS-DOS mode. Windows NT users can kill the process with Task Manager. Either from MS-DOS (Windows 95 or 98 users) or Windows NT, delete the file that appears in the registry value. If you are using Windows 95 or 98, reboot into Windows and delete the value from the registry. Please read the information at the end of this advisory about using Regedit before attempting to remove any registry values, as there is a possibility of causing severe damage to your computer if you are not careful. For DeepThroat versions 2 and 3, the registry value is named "Systemtray". The data is the path to the DeepThroat 2 or 3 executable file. NetSphere 1.30: NetSphere is a backdoor that performs the standard backdoor functions, including logging keystrokes, setting up a port redirector, capturing screenshots, and several functions to operate with Mirabilis ICQ. NetSphere works on Windows 95, 98, and Windows NT. NetSphere uses TCP ports 30100 and 30102. To determine if NetSphere is running on a machine, telnet to port 30100. If you connect, NetSphere will send a banner similar to the following: If you connect to port 30102, you will see this banner: 220 NetSphere Capture FTP To remove NetSphere from your computer, telnet to port 30100 and type '' (with no quotes) and press Enter. You will be disconnected, and the server will no longer be installed on the target machine. Another way to detect NetSphere is by looking in the registry. If you find a value in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run named "NSSX" that has the data "C:\Windows\System\nssx.exe", then you have NetSphere on your machine. From Windows 95 or 98, you can either reboot into DOS mode, delete C:\windows\system\nssx.exe, and reboot into Windows to remove the value from the registry, or just use the telnet procedure described earlier in this section to remove the server. In Windows NT, you can kill the process with Task Manager, then delete the file and remove the value from the registry. See below for more information on using Regedit. GateCrasher 1.2: GateCrasher 1.2 has the standard backdoor features, including starting and stopping an FTP server on your machine, rebooting your machine, and chatting with users on the system. GateCrasher 1.2 works on Windows 95, 98, and Windows NT. A 1.1 version of GateCrasher exists, but no longer works. When this version of the server tried to install itself, it attempted to connect to an SMTP server to send an e-mail to the author. Because the server didn't work, GateCrasher 1.1 never got installed. GateCrasher listens for connections on port 6969. To determine if a machine is running GateCrasher, telnet to port 6969 and look for this banner: GateCrasher v1.2, Server On-Line... If you type 'gatecrasher;' (no quotes) and press Enter and it will return 'Access Granted...'. If you then type 'uninstall;' and press Enter, the server will be uninstalled. The server is still running, but you can kill it by typing 'end;' and pressing Enter. Another way to detect GateCrasher is by looking in the registry. Go to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key and look for the value named "Command" pointing to "C:\Windows\System.exe". Windows 95 and 98 users should either boot to DOS and remove the C:\Windows\system.exe file, then reboot to Windows to remove the registry value, or just use the telnet uninstall method described earlier in this section. In Windows NT, you can kill the process with Task Manager, then delete the file and remove the registry entry. See below for more information on using Regedit. Portal of Doom: Portal of Doom (PoD) includes standard backdoor features, including sending messages, reading files, starting your screensaver, reassigning your mouse buttons, as well as advanced features like stealing your dialup passwords. Portal of Doom works on Windows 95, 98 and NT systems only if your Windows directory is C:\Windows. If the C:\Windows\System directory does not exist, PoD will not be able to copy itself into that directory and will not run. Portal of Doom listens on UDP ports 10067 and 10167. If you send a UDP packet to port 10167 with 3 bytes of data that are "pod", the server will return: [@]xforce (In this example, xforce is the name of the currently logged in user) While the client is connected, the server keeps sending packets that contain "KeepAliveeeeeeeeee" every 2 seconds. The protocol used by PoD is similar to the DeepThroat protocols; PoD represents commands using 2-byte UDP packets. If you are infected with the Portal of Doom backdoor, open the registry to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices and look for the value named "String" with the data "c:\windows\system\ljsgz.exe". Boot into DOS mode and delete the c:\windows\system\ljsgz.exe file, then boot into Windows and delete the "String" value from the registry. If you are running Windows NT and are infected, you can kill the process with Task Manager, and then remove the "String" registry value. See below for information on using Regedit. GirlFriend 1.3x: GirlFriend has standard backdoor features, as well as the ability to retrieve your passwords. It retrieves passwords by monitoring the password fields in dialog boxes on your screen and saving them. GirlFriend only works on Windows 95 and 98. GirlFriend 1.3 and 1.35 use the same protocol. They listen on TCP port 21554. If you connect to port 21554 and send a TCP packet with 3 bytes of data that are "ver", the response will be one of the following: GirlFriend Server 1.35 . Port 21554 or GirlFriend Server 1.3 . Port 21554 To remove GirlFriend from your machine, open regedit to HKLM\Software\ Microsoft\Windows\CurrentVersion\Run and look for a value named "Windll.exe" with the data "c:\windows\windll.exe". Reboot to DOS and delete the C:\windows\windll.exe file, then boot to Windows and remove the "Windll.exe" registry value. See below for more information on using Regedit. Hack'a'Tack: Hack'a'Tack is a backdoor that allows attackers to move and kill windows on your desktop, open an FTP server on your machine, log keystrokes, save passwords you type, shut down the machine, and upload, download, and execute files. Hack'a'Tack only runs on Windows 95 and 98. Hack'a'Tack uses TCP port 31785 and UDP ports 31789 and 31791. If you connect to TCP port 31785, it will display a banner such as: hostxforce.org (In this example, xforce.org is the hostname of the machine) If you see TCP port 31785 and UDP ports 31789 and 31791 open when you run 'netstat -a', then you probably have Hack'a'Tack on your machine. To remove it, open Regedit to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key and look for a value named "Explorer32" with the data "C:\windows\Expl32.exe". Boot to DOS and delete the C:\Windows\Expl32.exe file, then reboot into Windows and delete the "Explorer32" registry value. See below for more information on using Regedit. EvilFTP: EvilFTP is a backdoor that just sets up an FTP server on your machine. The server listens on port 23456, with a username of 'yo' and a password of 'connect'. EvilFTP will run on Windows 95, 98, and Windows NT systems. To determine if EvilFTP is running on a machine, telnet to port 23456. EvilFTP displays this banner: 200- Welcome To EvilFTP :) To remove this backdoor on Windows 95 and 98, delete the line "Run=C:\Windows\System\msrun.exe" from C:\Windows\Win.ini and delete the C:\Windows\System\msrun.exe file. To remove EvilFTP from a Windows NT system, you will have to open Regedit to the key HKLM\Software\Microsoft\ Windows NT\CurrentVersion\Windows, and look for a value named "Run". If the data value is "C:\Winnt\System32\msrun.exe", delete the value, then delete the C:\Winnt\System32\msrun.exe file. phAse Zero: phAse Zero has all of the standard backdoor features, including the ability to upload and download files to the computer using FTP, execute programs, delete and move files, and read and write to the registry. There is also a 'Trash Server' function that will delete all files from your Windows system directory. phAse Zero runs on Windows 95, 98, and Windows NT. By default, phAse Zero listens on port 555. This port can be easily changed with the server setup program. If you see port 555 or any other suspicious ports open on your machine, use telnet or netcat to connect to that port. If phAze Zero is running on that port, you will see this banner: phAse Zero server v1.0 by njord of kr0me corp The registry value used by phAse Zero to start at boot is also easily configurable, but it is always in HKLM\Software\Microsoft\Windows\ CurrentVersion\Run. The default name is "MsgServ" and the value is "msgsvr32.exe". If you see any suspicious files in the Run key, locate the file mentioned (either in C:\Windows or C:\Windows\System in Windows 95 and 98, or C:\Winnt or C:\Winnt\System32 on Windows NT) and open it in Notepad. Search for the text "phAse Zero". If you find this text in the executable, then your system is infected with the phAse Zero backdoor and you should delete that file and delete the registry value from the registry. For more information on using Regedit, see below. ExploreZip.worm ExploreZip.worm, also called Worm.ExploreZip, is a malicious e-mail worm that propagates by replying to any incoming e-mail Microsoft Outlook receives. If you see a message that has the following text in the body: Hi ! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. and has an attachment named zipped_files.exe, do not run the attachment and delete the message immediately. If you run zipped_files.exe, the worm will begin to propagate itself and search your hard drive, truncating all files with the extensions .asm, .c, .cpp, .doc, .ppt, and .xls to zero bytes. To detect and remove this worm from your computer, use an up-to-date virus scanner. SubSeven: There have been many versions of the SubSeven backdoor released, and most of them were very buggy until version 1.7 came out. The latest version is 1.9. This backdoor has been called 'BackDoor-G' by Network Associates, Inc., when they discovered version 1.7. SubSeven allows remote attackers to obtain cached passwords, play sounds, look at a webcam on your system, capture screenshots, and notify you over IRC or ICQ when someone gets infected. SubSeven only works on Windows 95 and 98. SubSeven is highly configurable. You can set a password, change the filename and registry key it uses, make it use Win.ini or System.ini, and have it notify an ICQ number, e-mail address, or IRC channel when it is run. You can also change the icon it uses, and change the port it listens on. The default TCP port is 1243. SubSeven has four options for starting the server -- in the Run or RunServices registry keys in HKLM\Software\Microsoft\Windows\CurrentVersion, in the Win.ini file, or by a 'less known method'. The 'less known method' uses the System.ini file, and adds its executable name to the 'shell=' line in the '[boot]' section of the file. By default, it will make that line 'shell=Explorer.exe mtmtask.dl', and copy mtmtask.dl to your Windows system directory. If you look in System.ini and see anything other than 'Explorer.exe' in your 'shell=' line, immediately remove anything other than 'Explorer.exe' and delete the extra file from C:\Windows\System. If you connect to SubSeven's port, you will see a banner similar to: connected. time/date: 18:05.19 - June 30, 1999, Wednesday, version: 1.7 SubSeven also listens on port 6776 for the scanning function, and this port is not configurable. SubSeven also keeps TCP port 6711. If you see that TCP ports 6711 and 6776 open when you do a 'netstat -a', then you probably have SubSeven. Since it is so highly configurable and difficult to detect in the registry, the easiest method to remove it is to use an up-to-date virus scanner . Most newer virus scanners will detect and remove SubSeven. Notes on using Regedit: WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. To remove a registry value, such as one in the HKLM\Software\Microsoft\Windows\ CurrentVersion\Run key, run the Regedit program. On the left panel of Regedit, Select the HKEY_LOCAL_MACHINE (HKLM) key, then SOFTWARE. Then go to the Microsoft key, then Windows, then CurrentVersion, and finally Run. On the right hand panel of Regedit, you will see the values' names and data. The "Run" and "RunServices" keys contain values that represent programs that get run at start-up. The name of the program is in the "Name" column, and the files that get run are in the "Data" column. To delete a value, right-click on the name and select delete. Do not delete anything on the left hand panel of Regedit, as they are the registry keys and could cause serious harm to your computer if an entire key were deleted. Only delete values if you are sure it is a backdoor. Conclusion: ISS X-Force has documented over 120 backdoors for Windows on the web. Not all of them are listed in our advisories, but we hope that providing information for some of the most popular and dangerous of the backdoors will help users detect and remove any backdoor they may find on their systems. About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at [11]www.iss.net or call 800-776-2362.