Acid Shivers
Acid Shivers currently affects Windows 95/98 PC's.
The "server" portion is named "msgsvr16.exe" and it's approximately 186Kb in size. It can usually be found in the WINDOWS directory.
TCP port 10520 is the first of two TCP ports
used by the trojan. The second TCP port is a random port used to establish its
connection between the "client" and "server".
Once installed, it's rerun every time the computer is started by means of an entry under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices" branches in the Registry.
Who is Responsible?
Acid Shivers was written by ???
Here are some of the functions that Acid Shivers offers:
- Lists most of the commands (description of command)
- Hide a task from control + alt + delete
- Show a hidden task in control + alt + delete
- List Contents of Current Directory
- List Contents of Current Directory
- Change To Specified Directory/Drive
- Clear Screen
- Kill Process by PID (Shown in PS)
- Shows Running Processes
- Deletes Specified Files
- Change Port Acid Shiver Listens on (Until Next Reboot)
- Change to default Windows Desktop folder
- Change to Windows Recent folder
- Change to default WS_FTP folder
- Show Version Number of Acid Shiver
- Show physical, RAM, CD-ROM, and Network drives
- Relay connection to host on port, Control + C to abort
-
Send keys to active window
- Show ethernet stats and physical address
- Rename the users computer
- Shows DOS Environment variables
- Beeps the specified number of times
- Type 'CDROM' for more informationv - Terminate Acid Shiver
- Rename a specified disk drive
- Type 'Shutdown' for more information
- Retrives information on specified drive
- Disconnect a session by socket index show in 'STATUS'
- Shows users current system date
- Shows some general system information about host and user
- Show the state of all sockets used since last reboot
- Retrieve specified file
- Retrieve specified file in hex form
- Run the specified shell command
- Run the specified command and display results (may lock up)
- Make a new directory
- Remove a directory and all files and subdirectories inside
Here's a picture of what the "client" portion of the software looks like.
How to Remove Acid Shivers
The first five steps involve editing the registry and although the steps are relatively easy, I cannot be held responsible if a mistake is made. Please use caution.
Step 1. Click START | RUN type REGEDIT and hit ENTER
Step 2. In the left window, click the "+" (plus sign) to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
Step 3. In the right window, look for a registry key with a Name value of "Explorer" and a Data value that loads the "msgsvr16.exe" file. This is the registry key that provides the ability to load the server portion of the trojan whenever the PC is started.
Provided below is a screenshot of what this registry entry would look like:
Step 4. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.
Step 5. In the left window, click the "+" (plus sign) to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices
Step 6. In the right window, look for a registry key with a Name value of "Explorer" and a Data value that loads the "msgsvr16.exe" file. This is a second registry key that provides the ability to load the server portion of the trojan whenever the PC is started.
Provided below is a screenshot of what this registry entry would look like:
Step 7. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.
Step 8. Exit the Registry
Step 9. Click START | SHUTDOWN. Choose "Restart in MS-DOS mode" and click OK.
Step 10. After the computer has restarted, change to the WINDOWS directory (e.g. CD WINDOWS) and delete the "msgsvr16.exe" file (e.g. DEL msgsvr16.exe).
Step 11. Press CTRL-ALT-DEL and allow Windows to restart.
Congratulations, Acid Shivers has now been removed from your system.
While Commodon Communications does not participate in or condone the activities of hacking. We recognize the need to educate persons who express an interest so they can better identify the activities associated and to better protect themselves and/or their organization. If you're interested in purchasing software for the purpose of learning the subject of hacking and Internet Security click here to visit our online store.
|