Host Control backdoor for Windows

backdoor-host-control (5329) The risk level is classified as HighHigh Risk

Description:

The Host Control backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. On an infected system, the Host Control server listens on port 11051 for Host Control client connections. Once connected, a Host Control client can manipulate files and retrieve passwords on the infected system.


Consequences:

Gain Access

Remedy:

To remove the Host Control backdoor from your computer:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. In Windows 95/98, press Ctrl+Alt+Del to display the Close Programs dialog box.
  2. Select the Winoldap program from the list.
  3. Click the End Task button. (There may be more than one instance of Winoldap on the list. Click the End Task button for each instance.)
  4. Using Regedit, find the HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run registry key.
  5. Find the registry entry named ICQNetDetect that has a data value of C:\Recycled\temp.exe.
  6. Delete this registry entry.
  7. Find the registry entry named WinKernel that has a data value of C:\Recycled\winkernel.exe.
  8. Delete this registry entry.
  9. Find the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.
  10. Repeat steps 5 through 8 for this registry key.
  11. Delete C:\Recycled\temp.exe and C:\Recycled\winkernel.exe.
  12. Restart your computer.

These instructions were tested for Host Control version 2.6. For other possible versions of the Host Control backdoor, you may wish to use an antivirus program to remove the Host Control backdoor:

  1. If you do not have an antivirus program installed, download and install one of these virus scanners:
    • Norton AntiVirus: http://www.symantec.com/nav/indexA.html
    • McAfee VirusScan: http://software.mcafee.com/centers/download/
    • Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/products/
  2. Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the Host Control backdoor from your computer.

References:

  • CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Platforms Affected:

  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page