RealTime IT News

Virus Alert: Trojan Allows Unauthorized Remote Access

Antivirus vendor Sophos on Monday reported a backdoor Trojan that allows unauthorized remote access to the computer over a network.

Troj/Migmaf-A is a backdoor Trojan that allows unauthorized remote access to the computer over a network. The Trojan adds an entry to the registry at:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

to run itself on system restart. Troj/Migmaf-A may act as reverse proxy Web server on the victim's computer. This would allow a remote user to host undesirable Web sites via the victim's computer without being traced and shutdown. Instructions for removing Trojans are at this Sophos page.

Worm Targets Network Shares with Weak Passwords

W32/Mofei-B is a worm that may attempt to spread to ADMIN$ and IPC$ network shares with weak passwords. The worm also has a backdoor Trojan component which runs in the background as a service process and allows unauthorized remote access to the computer over a network.

The worm has three main components: an EXE dropper, a DLL plugin (LASVR32.DLL) and another EXE (NAPW32.EXE). W32/Mofei-B has system specific behavior. Under Windows NT/2000/XP the worm moves itself to the Windows system32 folder as LASVR32.EXE and drops and invokes the DLL plugin LASVR32.DLL, which contains the backdoor functionality.

The worm runs itself on system restart by masquerading as the Smart Card Helper service and by creating a registry entry. View that and other information at this Sophos page.

Compiled by Esther Shein