| Port No | 51966 |
| Service Name | CAFEINI |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This backdoor malware, written in Visual C++, disables Antivirus monitors. Similar to a Remote Access Tool, it uses a server program to infect a target computer and uses a client program to control the infected computer |
| Reference Link | CAFEINI |
| Attack | Solution: Click Start>Run then hit the Enter key. In the left panel, double click the registry keys as follows: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows >CurrentVersion>Run Take note of the values that contains application files. (An application file has the filename extension of EXE. For example: RUNDLL32.EXE) In the left panel, double click the registry keys as follows: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows >CurrentVersion>RunOnce Take note of the values that contains application files. (An application file has the filename extension of EXE. For example: RUNDLL32.EXE) In the left panel, double click the registry keys as follows: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows >CurrentVersion>RunServices Take note of the values that contains application files. (An application file has the filename extension of EXE. For example: RUNDLL32.EXE) In the left panel, double click the registry keys as follows: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows >CurrentVersion>RunServicesOnce. Take note of the values that contains application files. (An application file has the filename extension of EXE. For example: RUNDLL32.EXE) Locate the EXE files that you took note of. To do this, you may easily locate them by clicking on Start>Find. On Windows 9x, click Start>Search>“Files or Folders” then type the application filename of the file you noted down in the "Search for files and folders input box." When found, right click the file then choose properties. If the file is around 150 Kilobytes in size, delete it. Restore the deleted files from a clean backup and then delete all files with unusual filenames from your system. The unusual filenames may be, “gidybedu.exe” or “nelajaf.exe.” Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CAFEINI.10. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.