Aliases: Troj/Cabrotor, BackDoor-WO, Cabtoror, Backdoor.Cabrotor
First appeared on: 20.08.2002
Backdoor.Cabro is backdoor trojan program (it is a hidden remote control trojan). The trojan itself is a Windows PE EXE file written in Delphi.
The original trojan package contains three main executable files:
- CaBrONaToR.exe - client to send commands to remote server
- CaBrONeDiT.exe - server editor to modify default server settings
- 8======D.exe - server (trojan itself)
When run the backdoor code copies itself to the Windows directory and registers itself in the system registry in the auto-run section. In different backdoor versions the backdoor EXE name and registry keys are different. The known variant has:
The registry key entries it makes are:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM \ Software\Microsoft\Windows\CurrentVersion\ RunServices
The trojan then opens a connection to its master's IRC channel and waits for its master's commands.
The backdoor program performs following commands:
- reports computer info (Windows version, CPU type, UserName, CompanyName e.t.c.)
- open/closes CD drive
- reports directories and file names in there
- runs a local file or executes a command
- sends information: RAS, MS Messenger and .NET services
- exits Windows - downloads a requested file
- performs DoS attack to requested victim address
- terminates itself
This remote access trojan is multicomponent in nature, consisting of client, configuration and server components. Once the server component is executed on the victim machine, the hacker is able to connect to that machine using the client component. The configuration component enables the hacker to create servers, with differing settings.
Multiple versions of this trojan are detected under this name.
The following description is general - exact filenames/Registry key names/port numbers etc. may vary. Interestingly, the server has the capability of updating itself via checking its version number against that stored at a remote URL, downloading the later server version if applicable.
The server component (typically UPXed) installs itself in the following manner, when executed on the victim machine:
Servers contain the string: CaBrONaToRs (requires file to be unpacked).
The client component (see figure below) enables the hacker to connect to the victim machine, and perform various operations. A small number of functions are listed below:
- retrieve system information
- upload, download, view, execute files
- retrieve screenshot
- shutdown machine
- retrieve RAS, hotmail passwords
- issue DOS command
The configuration component enables the hacker to create new servers, modifying setttings for IRC notification, email notification, server name etc.
Backdoor.Cabro does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.
Removal tool and instruction: