Troj/Ciadoor-F

Aliases	Backdoor.Ciadoor.122.a BackDoor-ASB Backdoor.Ciadoor
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2004 (3.88)
Protection available since	8 November 2004 22:18:21 (GMT)
Detected by	All Sophos products

Troj/Ciadoor-F is a backdoor Trojan.

The Trojan copies itself to the file services.exe in the Windows folder and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Services Controller = "<Windows folder>\services.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services\
Services Controller = "<Windows folder>\services.exe"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\
Services Controller = "<Windows folder>\services.exe"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Services\
Services Controller = "<Windows folder>\services.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Services Controller = "<Windows folder>\services.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Services Controller = "<Windows folder>\services.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Services Controller = "<Windows folder>\services.exe"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load = "<Windows folder>\services.exe"

Troj/Ciadoor-F listens on a preconfigured TCP port. A remote attacker may connect to this port in order to control the Trojan.

The Trojan advertises its presence by submitting information about the infected machine through a CGI script on a preconfigured webserver

Get reports about the latest virus and spyware threats delivered to your computer