Troj/Crater-A

Aliases	Backdoor.ServU-based
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	1 December 2003 11:55:18 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Crater-A is a backdoor Trojan which makes use of a FTP server program to provide unauthorised access to the computer from a remote network location.

When the Trojan is run it creates the folder
C:\<Windows folder>\system32\tcp%ip.[00021401-0000-0000-c000-000000000046] and drops the following files there:

agt0c1a.dll agt0c1b.dll agt0c1c.dll c_951.nls c_952.nls clearlogs.exe crc.exe fport.exe instsrv.exe msdxm32.ocx msidtc.dll msiloader.dll netlib.exe netlib.ini netlib.reg regini.exe service.exe start.cmd

These files are utilities used by the Trojan, configuration files used by those utilities and an FTP server program.

Troj/Crater-A installs the FTP server, which allows a remote intruder to connect to the computer to upload and download files. The FTP server program creates numerous entries under the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\Netlib

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Troj/Crater-A

Summary

Action

More Information