| Port No | 6776 |
| Service Name | BackDoor-G2 |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This server component of a backdoor malware, TROJ_Sub7. It drops a Petite compressed Win32API.EXE file in the Windows system directory and in another directory to a random name. It also creates a copy of Win32API.EXE to a different name and modifies the Windows registry so that it executes upon Windows startup. |
| Reference Link | BackDoor-G2 |
| Attack | Solution: Click Start>Run, type Regedit then hit the Enter key. In the left panel of the Registry Editor, click the plus sign (+) left of the following: HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunServices In the right panel of the Registry Editor, look for and delete this registry value: MicrosoftAPI = “C:\WINDOWS\SYSTEM\Win32API.exe” In the left panel of the Registry Editor click the plus sign (+) left of the following: HKEY_LOCAL_MACHINE Software Microsoft Active Setup Installed Components In the right panel of the Registry Editor, look for and delete the following value: StubPath = “C:\WINDOWS\SYSTEM\ In the left panel of the Registry Editor click the plus sign (+) left of the following: HKEY_LOCAL_MACHINE Software Microsoft Windows Current Version Explorer User Shell Folders. In the right panel of the Registry Editor, look for and delete the following value: Common Startup = “C:\WINDOWS\SYSTEM\ In the left panel of the Registry Editor click the plus sign (+) left of the following: HKEY_LOCAL_MACHINE Software Microsoft ENC Right click ENC and then delete. Restart your system. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.