The Web    Google
9/23: Backdoor-CHP Lets Data Through

9/23: Backdoor-CHP Lets Data Through
September 23, 2004

Backdoor-CHP is a remote access Trojan that allows remote attackers to relay data (such as SPAM) through the compromised system. When run, the Trojan copies itself to the WINDOW SYSTEM directory as w32.exe and creates registry run keys as well as a service to load itself at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "w32" = w32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "w32" = w32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "DisplayName" = Windows Service Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32 "ImagePath" = C:\WINDOWS\System32\w32.exe

The Trojan runs a proxy server on TCP ports 9687, and a random TCP port. Notification is sent to the Trojan author via a page on the web site.

Find out more at McAfee page.

  • Bagle-BK Worm Downloads Code
  • 2/15: Randex-COX a Network-Aware Worm
  • Soft on the Inside
  • 9/3: Forbot-M Worm Has Trojan Functions
  • Virus-Powered Phishing Unleashed
  • 1/3: Gift-C Worm Spreads Via Email
  • A Jump on Security Advisories (For a Fee)
  • NIKSUN offers a security camera for your network
  • Cisco Snaps Up Security Software Maker
  • Spam Foes Worry New FTC Rule Not Enough
  • How Spyware Took the Next-Gen Threat Crown
  • Security Camera Price