Malware type: Backdoor

Aliases: Backdoor.Win32.Litmus.201 (Kaspersky), Backdoor.Trojan (Symantec), TR/Crypt.ULPM.Gen (Avira), Mal/Behav-053 (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

This backdoor malware enables a remote hacker control over an infected computer. It uses a server component to infect a target computer and uses a client component to control the infected computer. The server installs itself in the infected system and opens a connection for the client side. This backdoor malware compromises network security.

For additional information about this threat, see:

Description created: Aug. 3, 2001 6:35:21 AM GMT -0800


Size of malware: 15,904 Bytes

When executed, the server side copies itself to a MPGSRV32.EXE file in the Windows\litmus directory. It adds this file to the registry under the Run key of the below:

CurrentVersion\Run LTM2=C:\windows\litmus\mpgsrv32.exe

It also attempts to connect to http://viczz.slyip.com via port 6667 but does not do anything with it.


Minimum scan engine version needed: 5.170

Pattern file needed: 0.909.00

Pattern release date: Jul 3, 2001

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


  1. Click Start>Run, type REGEDIT.EXE and then hit the Enter key.
  2. Press F3 to open the Regedit search window
  3. Type MPGSRV32.EXE, then hit the ENTER key and wait for this entry to be found
  4. When found, hit the DELETE key to delete the entry. The entry is usually �LTM2� and the value is c:\windows\litmus\mpgsrv32.exe.
  5. Press F3 again to search for more entries
  6. If more entries are found, delete these entries.
  7. Repeat step #2 until Regedit is finishes searching the whole registry.
  8. Exit the Registry
  9. Reboot the system
  10. Scan your system with Trend antivirus and delete all files detected as BKDR_LITMUS.201. To do this, Trend customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro�s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.