Port No | 23432 |
Service Name | Asylum |
RFC Doc | 0 |
Protocol | TCP |
Description | Asylum This signature detects Backdoor Asylum activity |
Reference Link | More Information |
Attack | Name:Asylum This Trojan horse has no visual indicators that the computer has been infected. When executed, the Trojan modifies the system to enable itself to run at startup. You will notice a serious degradation of performance because the Trojan uses most of the system's resources. Backdoor.Asylum opens a large number of ports for listening. It will attempt to send an email notification, which contains information about your system, to the Trojan's creator. The Trojan employs three different methods to enable itself at startup: It adds the line C:\Windows\Wincmp32.exe to the Load= and Run= lines of the Win.ini file. It adds Wincmp32.exe to the Shell=explorer.exe line of the System.ini file. It creates the value SystemAdministration and sets it equal to Wincmp32.exe in the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices NOTE: At least one case has been reported in which the dropped file, and the references to it, was Winupd32.exe. How To Remove: 1. Restart the computer in MS-DOS mode, and then delete the C:\Windows\Wincmp32.exe file. 2. Restart the computer in Safe Mode. 3. Use the System Editor (Sysedit.exe) to edit the Win.in and System.ini files. Remove any references to Wincmp32.exe (or to Winupd32.exe). 4. Remove the registry entries made by the Trojan: CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. a. Click Start, and click Run. The Run dialog box appears. b. Type regedit and then click OK. The Registry Editor opens. c. Navigate to the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run d. In the right pane, delete the value: SystemAdministration Wincmp32.exe (Or Winupd32.exe.) e. Repeat steps 3 and 4 for the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices f. Restart the computer. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.