| Discovered: |
February 9, 2010 |
| Updated: |
February 10, 2010 10:01:17 AM |
| Type: |
Trojan |
| Systems Affected: |
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 |
| Recommended Action: |
 In order to Remove Backdoor.Mulkerv you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of Backdoor.Mulkerv. Read our full No Adware Review
If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.
|
| Technical Details: |
|
It has been reported that this threat is installed as the following file:
%SystemDrive%\mmsvc.cpl
When the Trojan is executed, it creates one of following services:
* NVMonSystem
* NPKClient
* ALGEvent
It then modifies the following registry entries:
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"MaxHashTableSize" = "800"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"MaxUserPort" = "FFFE"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxConnectResponseRetransmissions" = "2"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpTimedWaitDelay" = "1E"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TCPFinWait2Delay" = "1E"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxPortsExhausted" = "5"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxHalfOpen" = "500"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxHalfOpenRetried" = "400"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxDataRetransmissions" = "A"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"KeepAliveTime" = "493E0"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"KeepAliveInterval" = "3E8"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPer1_0Server" = "2"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPerServer" = "2"
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPer1_0Server" = "2"
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPerServer" = "2"
It then attempts to open a back door by connecting to one of following locations,
allowing a remote attacker access to the compromised computer:
* [RANDOM CHARACTERS].55cn90001.selfip.com
* [RANDOM CHARACTERS].59cn80801.selfip.com
* [RANDOM CHARACTERS].59cn81811.selfip.com
* [RANDOM CHARACTERS].b59e40004.selfip.com
* [RANDOM CHARACTERS].59cn80001.selfip.com
* [RANDOM CHARACTERS].55cn90002.selfip.net
* [RANDOM CHARACTERS].59cn80802.selfip.net
* [RANDOM CHARACTERS].59cn81812.selfip.net
* [RANDOM CHARACTERS].b59e40005.selfip.net
* [RANDOM CHARACTERS].59cn80002.selfip.net
* [RANDOM CHARACTERS].59cn80803.homeip.net
* [RANDOM CHARACTERS].b59e40001.homeip.net
* [RANDOM CHARACTERS].59cn80003.homeip.net
* [RANDOM CHARACTERS].59cn81813.homeip.net
* [RANDOM CHARACTERS].b59e40002.homeftp.org
* [RANDOM CHARACTERS].b59e40003.homeftp.net
* [RANDOM CHARACTERS].59cn80804.gotdns.com
* [RANDOM CHARACTERS].59cn81814.gotdns.com
* [RANDOM CHARACTERS].59cn80004.gotdns.com
* [RANDOM CHARACTERS].59cn80805.blogdns.com
* [RANDOM CHARACTERS].59cn80005.blogdns.com
* [RANDOM CHARACTERS].59cn81815.blogdns.com
* 58.221.33.164
* 58.221.33.171
|
| Action Steps: |
| FREE SCAN: NoAdware can Remove Backdoor.Mulkerv. Click the link below for your free download & scan your PC now.
Please click here for manual removal instructions.
|
Posted
on Thursday, February 18th, 2010 at 7:46 am - filed under Blog, Trojan.
