ISS X-Force Database: backdoor-deepthroat(2290): DeepThroat backdoor for Windows

DeepThroat backdoor for Windows

backdoor-deepthroat (2290)

High Risk

Description:

The DeepThroat backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. With the DeepThroat backdoor, an attacker can do the following:

access files and the system registry
execute programs
open a Web browser to a URL
open and close your CD-ROM drive
start and stop an FTP server on your computer
send messages that appear on your screen
retrieve cached passwords

Consequences:

Gain Access

Remedy:

To remove the DeepThroat backdoor from your computer:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

Using Regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.
Identify the DeepThroat registry entry. The entry could have one of two names:
- SystemDLL32 (for DeepThroat version 1.0)
- Systemtray (for DeepThroat version 2.0 or 3.0)
Stop the DeepThroat program from running. This process is different based on the version of Windows you are running.
- Windows 95/98: Restart the computer in MS-DOS mode. Proceed to step 4.
- Windows NT: Press CTRL+ALT+DEL, then click the Task Manager button to start the NT Task Manager. Click the Processes tab, and search the list for the file you identified in step 2. Select the file, and click End Process.
Delete the DeepThroat program file that you identified in step 2.
- Windows 95/98: From the DOS command prompt, delete the file from the path named in the registry value.
- Windows NT: Delete the file from the path named in the registry value.
Using Regedit, delete the registry entry you identified in step 2.

References:

DarkLightCorp Web site: Deep Throat Backdoor.
Internet Security Systems Security Alert #30: Windows Backdoor Update III.
CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Platforms Affected:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows NT 4.0

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page