Trojan-Spy.Win32.RemoteSniffer.031
From Total Malware Info
It is a Backdoor used to sniff a network remotely. Program is a PE exe file compiled with Borland Delphi. File has a size 487 936 bytes and is not packed.
Installation
Backdoor should be infected locally. After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Packet"="%System%\Packet16.exe"
Winpcap library should be installed on the victim machine to sniff the network. Winpcap is a packet capture library written for Win32 programmers.
Payload
The sniffer listens the port 9090 for a remote administration. After infection the attacker gains ability to sniff a remote network using a login screen.
Remote settings that can be used:
- Turn on/off hex view
- Add/delete/clear ip lists being sniffed
- Add/delete/clear ports being sniffed
- Add/delete/clear string being watched
Sniffer commands:
- Start/stop/restart/remove server
- Сhange the server port
Removal instructions
- Using Task Manager terminate the trojan process Packet16.exe.
- Delete the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Packet"="%System%\Packet16.exe"
- Delete the executable file
"%System%\Packet16.exe"
