Event ID - 5401

Port No5401
Service NameBackConstruction
RFC Doc0
ProtocolTCP
DescriptionBackConstruction is a simple trojan. It can open a FTP server on port 21 that lets anyone on. It also opens the following ports: 666, 5401, 5402 and connects to them when the client is in use.
Reference LinkBackConstruction Trojan
AttackIt autoloads the Registry:
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Key: Shell

It does the following :
Chat
Email using victim
File explorer
Get cached passwords
Shutdown/Reboot/Logoff/Poweroff
Start menu on/off
View/Kill apps

Removal :
1. Remove the Shell key located in the registry at: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\. And the P23H located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\. Which can be done with regedit or any other registry editing program.
2. Reboot the computer or close the trojan.
3. Delete the trojan file Cmctl32.exe in the windows directory

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.