Backdoor.Carool

Printer Friendly Page

Discovered: May 04, 2004
Updated: May 04, 2004 3:13:01 PM
Systems Affected: Windows

Backdoor.Carool is a back door server program that allows unauthorized remote access to a compromised system. It also installs a keylogger and steals cached password files.

Discovered: May 04, 2004
Updated: May 04, 2004 3:13:01 PM
Systems Affected: Windows

Backdoor.Carool is a back door server program that allows unauthorized remote access to a compromised system. It also installs a keylogger and steals cached password files.

When the back door is installed, it creates the following files:
%System%\OTCXXH.EXE
%System%\zpvkkom.dll
%System%\fpxjjgd.dll
%System%\keussm.dll
%System%\bdphhwls.tmp

It then executes the OTCXXH.EXE file.

Next, the back door creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otcx = %System%\otcxxh.exe

Next, the back door connects to a predetermined URL and upload a keystroke log.

The back door listens for connections from the remote attacker on TCP ports randomly.

The attacker can perform some of the following actions on the compromised host:
Log key strokes
Steal PWL files
Open/close the CD-ROM drive