| Port No | 411 |
| Service Name | Backage |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Backage is a small French trojan. This trojan has a client similar to SubSevens. Backage has a edit server program, this program allows the "hacker" to change what port Backage listens on and set a ICQ UIN to be notified by the server. |
| Reference Link | Backage Trojan |
| Attack | It autoloads the Registry: System.ini, win.ini and registry It does the following : Caps lock on/off Change or view clipboard contents Chat with server Disable/enable ALT-CTRL-DEL Get ICQ password Get information Get screen shot Hide/show start button Hide/show task bar Lock screen on/off Numslock on/off Open/close CD-Rom Print text Reboot windows Run file Send keys Send message Send to URL Set mouse position Swap mouse buttons View list of open windows Removal : 1.Remove the Internet Explorer Plugin key in the registry located at HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices also remove the SystemKernel32 key in the registry HKEY_USERS\.Default\Software\Win\RUN.Which can be done with regedit or any other registry editing program. 2.Open the system.ini(Usually c:\windows\system.ini) and remove the key: shell=Explorer.exe MSkernel16.exe. under [boot], to shell=Explorer.exe. This can be done with any text editing program. 3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=MSkernel16.exe under [Windows], this can be done with any text editing program. 4. Reboot the computer or close MSkernel16.exe. 5. Delete the trojan file MSkernel16.exe in the windows directory. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.