This client program of a backdoor malware, written in Delphi connects to the computer infected with server program via a fixed port 2589.
The hacker using this client program can execute any or all of the following on the computer infected with the server program:
- Get System Information
- Send pop up messages
- Act as a mini file browser (this includes read and write access to the files of the server.)
- Execute Files
- Process Tool
- Shutdown/Reboot/NetLogon the system
- Enable/Disable Desktop
- Enable/Disable Running Applications
- Enable/Disable Closing Windows
- Power off option for ATX systems
- Turn On/Off Num/Caps/Scroll lock lamps
- Set Mouse Location
- Show/Hide Taskbar
- Eject/Close CD Rom Drive
- Turn Power Saving On/Off
- Enable/Disable CTRL-ALT-DEL key combo
- Get screen resolution
- Determine location of Windows directories
- Set the server password
- Have a chat with the server
- Print something on the server printer
An additional feature for this backdoor is its ability to have notification via ICQ. All the client component needs is the UIN.
When the server component of this backdoor malware is executed, it copies itself to a MANAGER.EXE file in the Windows System directory. It then creates a registry entry as follows so that it executes upon Windows startup:
Thereafter, it stays resident in memory as a service process so that it is not seen in the Task Manager when the infected user presses the Ctrl-Alt-Delete keys. The server component then listens and sends data via port 1386 to the hacker running the client program.
The client program requires the Internet Protocol (IP) address of the target computer.