Chupacabra backdoor for Windows

backdoor-chupacabra (5304) The risk level is classified as HighHigh Risk

Description:

The Chupacabra backdoor is one of many backdoor programs for Windows 95 and Windows 98 that attackers can use to access your computer system without your knowledge or consent. With the Chupacabra backdoor, an attacker can do the following:

  • retrieve system and user information
  • delete files
  • shut down and restart the system

Consequences:

Gain Access

Remedy:

To remove the Chupacabra backdoor from your computer:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. Restart the computer in MS-DOS mode.
  2. Delete the file C:\Windows\System\winprot.exe.
  3. Restart the computer to Windows. Error messages will appear as the system attempts to execute the deleted winprot.exe binary.
  4. In Windows, open C:\WINDOWS\WIN.INI and remove all instances of winprot.exe. These will most likely be found under the "[windows]" section on lines beginning with load= and run=.
  5. Using Regedit, find each of the following registry keys, and then find and delete the registry entry named System Protect that has a value of winprot.exe:
    • HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

References:

  • CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Platforms Affected:

  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page