| Port No | 5402 |
| Service Name | BackConstruction |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | BackConstruction is a simple trojan. It can open a FTP server on port 21 that lets anyone on. It also opens the following ports: 666, 5401, 5402 and connects to them when the client is in use. |
| Reference Link | BackConstruction Trojan |
| Attack | It autoloads the Registry: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Key: Shell It does the following : Chat Email using victim File explorer Get cached passwords Shutdown/Reboot/Logoff/Poweroff Start menu on/off View/Kill apps Removal : 1. Remove the Shell key located in the registry at: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\. And the P23H located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\. Which can be done with regedit or any other registry editing program. 2. Reboot the computer or close the trojan. 3. Delete the trojan file Cmctl32.exe in the windows directory |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.