Troj/Ciadoor-F is a backdoor Trojan.
The Trojan copies itself to the file services.exe in the Windows folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Services Controller = "<Windows folder>\services.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services\
Services Controller = "<Windows folder>\services.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\
Services Controller = "<Windows folder>\services.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Services\
Services Controller = "<Windows folder>\services.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Services Controller = "<Windows folder>\services.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Services Controller = "<Windows folder>\services.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Services Controller = "<Windows folder>\services.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load = "<Windows folder>\services.exe"
Troj/Ciadoor-F listens on a preconfigured TCP port. A remote attacker may connect to this port in order to control the Trojan.
The Trojan advertises its presence by submitting information about the infected machine through a CGI script on a preconfigured webserver