The Web    Google
9/23: Backdoor-CHP Lets Data Through

9/23: Backdoor-CHP Lets Data Through
September 23, 2004

Backdoor-CHP is a remote access Trojan that allows remote attackers to relay data (such as SPAM) through the compromised system. When run, the Trojan copies itself to the WINDOW SYSTEM directory as w32.exe and creates registry run keys as well as a service to load itself at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "w32" = w32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "DisplayName" = Windows Service Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "ImagePath" = C:\WINDOWS\System32\w32.exe

The Trojan runs a proxy server on TCP ports 9687, and a random TCP port. Notification is sent to the Trojan author via a page on the web site.

Find out more at McAfee page.

  • 11/4: Rbot-OX Worm Has IRC Functions
  • Microsoft to Strike IE URL Passwords
  • Trolling For Anti-Phishing Laws
  • China Backs Down on WAPI Deadline
  • 4/8: Mytob-AB Worm Comes as Attachment
  • 5/2: LegMir-DR a Password-Stealing Trojan
  • Worm Spreads Via Email With Variable Characteristics
  • Platform Logic Wraps OS, Apps With Security Protections
  • 4/5: Mytob-Y Worm Copies Itself to Email
  • Understanding and Preventing DDoS Attacks
  • Time to Trade in Geek Speak for Business Lingo
  • Security Camera Related Information