Troj/Nettroj-A

Category: Viruses and SpywareProtection available since:31 Dec 2002 00:00:00 (GMT)
Type: TrojanLast Updated:31 Dec 2002 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Nettroj-A is a configurable and extensible backdoor Trojan. Infected hosts form a decentralised network that can be controlled by a malicious user.

When first executed the Trojan modifies several registry entries and INI files to become resident on the system. In particular the registry run entries Run, RunServices, RunOnce, RunOnceEx and RunServicesOnce below HKLM\Software\Microsoft\Windows\CurrentVersion are modified to point to the Trojan binary as are the Run and RunServices entries below HKCU\Software\Microsoft\Windows\CurrentVersion. The Shell\Open\Command entries for the txtfile, exefile, comfile, batfile, piffile, htmlfile, giffile, jpegfile and the Word.Document subentries below HKCR are similarly modified.

The system files Autoexec.bat, win.ini, system.ini, wininit.ini and winstart.bat are modified to start the Trojan.

In addition, the files .bat and a batch file with a non-Ascii filename are created in the Windows folder.

Troj/Nettroj-A attempts to connect to a list of IRC servers and tries to join a configurable channel. This IRC channel serves as the central communication and control channel for the backdoor network.