| Port No | 23432 |
| Service Name | Asylum |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Asylum 0.1 is a small assembly trojan. The server uncompressed is 8K. It has only the basic features needed to infect the server with another trojan. Asylum was can have the following pre-configured before sending to the victim: ICQ notification, port number, password, 6 different infections with any key name and file name. Which means that it might infect using a different registry key other then SystemAdministration or a different exe then wincmp32.exe. The standard password with the version we aquired is 12evil12. Asylum 0.1 is also open source. |
| Reference Link | Asylum Trojan |
| Attack | It autoloads the Registry: varies from Registry, System.ini, Win.ini It does the following : Execute file Reboot computer Remove server Send to webpage Server can be pre-configured (Infection, ICQ notify, port, password) Upload file Removal : 1. If the SystemAdministration key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run exists then remove it. This can be done with regedit or any other registry editing program. 2. Open the system.ini(Usually c:\windows\system.ini) and if the key: shell=Explore.exe wincmp32.exe under [boot], exists change it to shell=explore.exe. This can be done with any text editing program. 3. Open the win.ini(Usually c:\windows\win.ini) and remove the key: load=c:\windows\wincmp32.exe or the key: run=c:\windows\wincmp32.exe under [Windows] if they exist. this can be done with any text editing program. 4. Reboot the computer or close the trojan. 5. Delete the trojan file wincmp32.exe in the windows directory. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.