BackGate Kit


Name: BackGate Kit
Aliases: Backdoor.NTHack, NT Hack, Unicode Rootkit,
Ports: 69, 19216, 29292, 45092
Files: Archive.tar.gz - 1,214,436 bytes Archive.tar - 1,392,640 bytes Dl.exe - 5.120 bytes Dl.1bat - 227 bytes Dir.txt - 64 bytes Install.bat - Firedeamon.exe - 32,256 bytes Ftpcmds.txt - 178 bytes Login.txt - 344 bytes Mmtask.exe - 282,624 bytes Newgina.dll - 28,672 bytes Reggina.exe - 24,576 bytes Regit.exe - 70,211 bytes Restrict.exe - 18,276 bytes Restsec.exe - 28,432 bytes Servustartuplog.txt - 537 bytes Settings.reg - 35,981 bytes Makeini.exe - 12,288 bytes Sud.exe - 355,652 bytes Sud.exe - 427,520 bytes Sud.bak - 8,340 bytes Sud.ini - 6,867 bytes 00.d - 01.d - 64 bytes 02.d - 32.256 bytes 03.d - 344 bytes 04.d - 282,624 bytes 05.d - 28,672 bytes 06.d - 24,576 bytes 07.d - 70,211 bytes 08.d - 18,276 bytes 09.d - 28,432 bytes 10.d - 35,981 bytes 11.d - 355,652 bytes 11.d - 427,520 bytes 12.d - 12,288 bytes 13.d - 6,867 bytes 14.d - 15.d - 543567.1tmp - E.asp -
Created: Feb 2001
Requires:
Actions: Remote Access / Rootkit / Steals passwords / Downloading trojan / FTP proxy / HTTP proxy / Telnet proxy / SOCKs proxy / Winsock proxy / FTP server
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\system\currentcontrolset\services\os2srv\parametersHKEY_LOCAL_MACHINE\system\currentcontrolset\services\index\parameters
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\index\
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\index
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\mmtask
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\os2srv
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\mmtask
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\os2srv
Notes: Works on Windows NT, together with MS Internet Information Server (IIS).
Country:
Program: Written in Visual Basic.

© Copyright von Braun Consultants. This information may include technical inaccuracies or typographical errors. If you have any questions or further information about the actual trojan above, please contact Joakim von Braun at <joakim.von.braun@risab.se>