Discovered: May 4, 2004
Updated: May 4, 2004 3:13:01 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Backdoor.Carool is a back door server program that allows unauthorized remote access to a compromised system. It also installs a keylogger and steals cached password files.
When the back door is installed, it creates the following files:
%System%\OTCXXH.EXE
%System%\zpvkkom.dll
%System%\fpxjjgd.dll
%System%\keussm.dll
%System%\bdphhwls.tmp
It then executes the OTCXXH.EXE file.
Next, the back door creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otcx = %System%\otcxxh.exe
Next, the back door connects to a predetermined URL and upload a keystroke log.
The back door listens for connections from the remote attacker on TCP ports randomly.
The attacker can perform some of the following actions on the compromised host:
Log key strokes
Steal PWL files
Open/close the CD-ROM drive
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine