| Port No | 666 |
| Service Name | Attack FTP |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Attack FTP simply installs a custom version of Serv-u invisibly. The version we acquired is a self extracting zip. Once Attack FTP is ran it displays an error message. It also searches for Tree.dat, which is the old cute ftp password file. If it finds Tree.dat it copies it to result.dll in the windows directory. Anyone can log on to the infected computer with any FTP client on port 666. |
| Reference Link | Attack FTP Trojan |
| Attack | It autoloads the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key: Reminder and Win.ini: [windows] key: load=Wscan.exe It does the following : Full FTP access Removal : 1.Remove the Reminder key located in the registry at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This can be done with regedit or any other registry editing program. 2. Change the load=Wscan.exe key under [Windows] to load= in the win.ini. Which can be done with any text editing program. 3. Reboot the computer or close the trojan. 4. Delete the trojan files WScan.exe and drwatsom.exe in the windows system directory. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.