How to delete Backdoor.Cabro - Removal tool, fix instructions

Name: Backdoor.Cabro

Aliases: Troj/Cabrotor, BackDoor-WO, Cabtoror, Backdoor.Cabrotor

Type: Trojan

Size: -

First appeared on: 20.08.2002

Damage: Medium

Brief Description:
Backdoor.Cabro is backdoor trojan program (it is a hidden remote control trojan). The trojan itself is a Windows PE EXE file written in Delphi.

The original trojan package contains three main executable files:

  • CaBrONaToR.exe - client to send commands to remote server
  • CaBrONeDiT.exe - server editor to modify default server settings
  • 8======D.exe - server (trojan itself)

When run the backdoor code copies itself to the Windows directory and registers itself in the system registry in the auto-run section. In different backdoor versions the backdoor EXE name and registry keys are different. The known variant has:

EXE name:

ASDAPI.EXE
The registry key entries it makes are:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM \ Software\Microsoft\Windows\CurrentVersion\ RunServices

Key name:

LoadPowerProfile

The trojan then opens a connection to its master's IRC channel and waits for its master's commands.

Visible Symptoms:

The backdoor program performs following commands:

  • reports computer info (Windows version, CPU type, UserName, CompanyName e.t.c.)
  • open/closes CD drive
  • reports directories and file names in there
  • runs a local file or executes a command
  • sends information: RAS, MS Messenger and .NET services
  • exits Windows - downloads a requested file
  • performs DoS attack to requested victim address
  • terminates itself

Technical description:

This remote access trojan is multicomponent in nature, consisting of client, configuration and server components. Once the server component is executed on the victim machine, the hacker is able to connect to that machine using the client component. The configuration component enables the hacker to create servers, with differing settings.

Multiple versions of this trojan are detected under this name.

The following description is general - exact filenames/Registry key names/port numbers etc. may vary. Interestingly, the server has the capability of updating itself via checking its version number against that stored at a remote URL, downloading the later server version if applicable.

The server component (typically UPXed) installs itself in the following manner, when executed on the victim machine:

  • the following Registry key is created:
    HKEY_CURRENT_USER\Software\Microsoft\FastTruck
    (various configuration settings are stored under this key)
  • the server checks for the latest update of this trojan, if necessary downloading and executing the latest version.
  • the server (or the more recent downloaded server) then copies itself as C:\MSWSIGX.DLL and %WINDIR%\ASDAPI.EXE
  • system startup is hooked by modifying the following Regsitry keys:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \ CurrentVersion\Run
    "LoadPowerProfile" = %WINDIR%\ASDAPI.EXE

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \ RunServices
    "LoadPowerProfile" = %WINDIR%\ASDAPI.EXE

  • ports 7721 and 7724 are opened on the victim machine.

Servers contain the string: CaBrONaToRs (requires file to be unpacked).

The client component (see figure below) enables the hacker to connect to the victim machine, and perform various operations. A small number of functions are listed below:

  • retrieve system information
  • upload, download, view, execute files
  • retrieve screenshot
  • shutdown machine
  • retrieve RAS, hotmail passwords
  • issue DOS command

The configuration component enables the hacker to create new servers, modifying setttings for IRC notification, email notification, server name etc.

Propagation:

Backdoor.Cabro does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.

Removal tool and instruction:
Not available.