The Web    Google
11/23: BackDoor-CLK Trojan Copies Itself

11/23: BackDoor-CLK Trojan Copies Itself
November 23, 2004

BackDoor-CLK is a back door Trojan that when executed, copies itself to the %Sysdir% folder as CSMSS.EXE. e.g. C:\Winnt\System32\CSMSS.EXE

The following registry key is updated so that the files run after every restart:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "spoolsvr32"= C:\Winnt\system32\CSMSS.EXE

A DLL file (WINACPI.DLL) is dropped into the %SYSDIR% folder which is a BHO (Browser Helper Object) and this DLL component is injected in to the memory space of Explorer.exe. The following registry key is created so that the DLL is loaded at every startup:

HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ "InprocServer32"= C:\winnt\System32\winacpi.dll

This Trojan attempts to terminate the process of security programs with certain filenames View them and other information at McAfee page.

  • Information Theft Reaches Estimated $59 Billion
  • Exploring Windows 2003 Security: IP Security
  • Group Revises Anti-Piracy License Terms
  • 9/1: Bagle-AN Worm Sends 'Foto' Attachment
  • 4/25: Spybot-OBZ Worm Has DDoS Ability
  • PentaSafe Unveils Integrated Security Manager
  • 8/5: Toraja-I Macro Virus For Office 97
  • Secure Messaging Vendor Offers Management Appliance
  • Jenny Craig Goes on a No-Spam Diet
  • Disaster Recovery Vs. Business Continuity
  • 3/4; PWSteal.Bankash-B Trojan Steals Info
  • Security Camera Price