The Web    Google
11/23: BackDoor-CLK Trojan Copies Itself

11/23: BackDoor-CLK Trojan Copies Itself
November 23, 2004

BackDoor-CLK is a back door Trojan that when executed, copies itself to the %Sysdir% folder as CSMSS.EXE. e.g. C:\Winnt\System32\CSMSS.EXE

The following registry key is updated so that the files run after every restart:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "spoolsvr32"= C:\Winnt\system32\CSMSS.EXE

A DLL file (WINACPI.DLL) is dropped into the %SYSDIR% folder which is a BHO (Browser Helper Object) and this DLL component is injected in to the memory space of Explorer.exe. The following registry key is created so that the DLL is loaded at every startup:

HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ "InprocServer32"= C:\winnt\System32\winacpi.dll

This Trojan attempts to terminate the process of security programs with certain filenames View them and other information at McAfee page.

  • 10/21: Rbot-NG Worm Spreads Remotely
  • 10/21: Bloodhound.Exploit-17 Detects Files
  • Gentoo 2005.0 All About Security
  • Disaster Recovery Vs. Business Continuity
  • Simplify File Recovery with Volume Shadow Copy Service
  • A Password Policy Primer
  • Bagle Attack Picking up Speed
  • Network Intelligence Upgrades Security Alert Manager
  • KaVaDo Updates Application Security Software
  • Experts Question UN's Anti-Spam Plan
  • Palyh and Fizzer Top Troublemakers in May
  • Compare Security Camera Products