Event ID - 5873

Port No5873
Service NameBackDoor-G22
RFC Doc0
ProtocolTCP
DescriptionThis Win32 server side of a hacking tool enables a remote hacker access to an infected computer. It makes itself active in memory when any EXE file is executed and upon boot-up. It is a variant of the notorious SubSeven Trojan that gives system administrator privileges to a remote user . It compromises network security.
Reference LinkBackDoor-G22
AttackDetails:

This Trojan is created in Borland Delphi and is UPX compressed. Upon execution, it creates a copy of itself as EXPLORER.EXE in the root directory of an infected system. It creates 15 other copies in random file names in the Windows System Directory and one of the copies is in the C:\WINDOWS\SYSTEM\gexp subdirectory that this virus creates. It then adds the following registry entries so that it executes upon Windows start up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\RUNDLL32 = "C:\WINDOWS\SYSTEM\[Filename]" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\RUNDLL32 = "C:\WINDOWS\SYSTEM\[Filename]" HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\[Filename]\StubPath = "C:\WINDOWS\SYSTEM\[Filename]"

The Trojan adds the following entry in the WIN.INI file:
run=C:\WINDOWS\SYSTEM\[Filename]

In the SYSTEM.INI file it adds the following entry:
shell=C:\WINDOWS\SYSTEM\[Filename]

[Filename] is one of the files that this Trojan dropped in the Windows System directory of the infected drive C:\.

The Trojan then installs itself in memory, waits for commands from the client side of this hacking tool and thereafter, deletes itself.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.