The Web    Google
9/23: Backdoor-CHP Lets Data Through

9/23: Backdoor-CHP Lets Data Through
September 23, 2004

Backdoor-CHP is a remote access Trojan that allows remote attackers to relay data (such as SPAM) through the compromised system. When run, the Trojan copies itself to the WINDOW SYSTEM directory as w32.exe and creates registry run keys as well as a service to load itself at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "w32" = w32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "DisplayName" = Windows Service Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "ImagePath" = C:\WINDOWS\System32\w32.exe

The Trojan runs a proxy server on TCP ports 9687, and a random TCP port. Notification is sent to the Trojan author via a page on the web site.

Find out more at McAfee page.

  • 6/17: Download.Ject Installs File
  • AntiOnline Spotlight: Wireless Security
  • 4/29: Kelvir-D an IM Worm
  • Spam Foes Worry New FTC Rule Not Enough
  • RIM Refutes BlackBerry Buffer Overflow Claim
  • 'Critical' Security Hole in Real's Helix Server
  • Critical Flaws Spoil Opera Tune
  • Check Point Appliances Target Small Businesses
  • 9/23: Backdoor-CHP Lets Data Through
  • CERT, ArcSight Partner With 3 Universities On Security Sharing
  • Sender ID: Phishing Solution or Another Problem?
  • Computer security background information