| Port No | 19216 |
| Service Name | BackGate Kit |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | If the BackGate kit is used against a server vulnerable to such security breaches, it is likely that a file named E.ASP will be introduced to the server first. A batch file, DL.BAT is then generated to download and launch DL.EXE from a FTP server of the hacker's choice. It is possible that this FTP server may also be a victim of BackGate. |
| Reference Link | More Information |
| Attack | BackGate Kit To remove files installed by BackGate kit, search and remove the following registry keys: HKLM\System\CurrentControlSet\Services\MMtask HKLM\System\CurrentControlSet\Services\OS2srv HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL Reboot the infected server. Remove NewGina.dll from System directory. Remove C:\543567.tmp . Remove directory " %windir%\system32\os2\DLL\new ". Search and remove directory \adminback0810\root . Please note that access permission to these two directories is restricted to System only. Administrator access needs to be added to gain access to these directories. The password to the accounts logged by PWS.Gina.Trojan should be changed. After removing Trojan files installed by BackGate, the user should follow the direction posted by Microsoft to patch up the server and stop the same hacking tool being used against their server again. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.