Home | About Us | Contact Us | Threats to your Security on the Internet | Products | Support | Online Store

RCT's & RAT's
What are they?
How do I detect them?
How many are there?
What ports do they use?

How do I Remove?
Acid Shivers
Acid Shivers (modified)
Back Orifice
Baron Knight
Big Gluck
Blade Runner
Deep Back Orifice
Delta Source
Doly Trojan
Deep Throat
Deep Throat v2
Executer v1
Executer v2
Hack 'a' Tack
Master's Paradise
NetBus 2 Pro
Sockets 'de Troie
SubSeven (Sub7)
Whack-a-mole (NetBus)

Additional Resources
Latest News
Recommended Books
Recommended Links
Recommended Software

Master's Paradise

Master's Paradise currently affects Windows 95/98 PC's.

The "server" portion will delete and replace Microsoft's "System Configuration Editor" utility (sysedit.exe) with itself. The "server" portion is used in conjunction with another file named "keyhook.dll". Both would be found in the WINDOWS directory.

Ports 3129, 40421, 40422, 40423 and 40426 are used in the establishment of connections between the "client" and "server".

Once installed, it is rerun every time the computer is started by means of an entry under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" branch in the Registry.

Who is Responsible?

Master's Paradise was written by a German programmer named Dan Lehman. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines.

Below are some of the functions that Master's Paradise offers:
- Open/close the CD-ROM once or in intervals (specified in seconds).
- Show optional image. If no full path of the image is given it will look for it in the installed directory. The supported image-formats is BMP and JPG.
- Swap mouse buttons the right mouse button gets the left mouse button's functions and vice versa.
- Start optional application.
- Play optional sound-file. If no full path of the sound-file is given it will look for it in the installed directory. The supported sound-format is WAV.
- Point the mouse to optional coordinates. You can even navigate the mouse on the target computer with your own!
- Send a message dialog to the victim's computer screen.
- Shutdown the system, logoff the user etc.
- Go to an optional URL within the default web-browser.
- Send keystrokes to the active application on the target computer! The text in the field Message/text will be inserted in the application that has focus. (| represents enter).
- Listen for keystrokes and send them back to you!
- Get a screendump! (should not be used over slow connections)
- Return information about the target computer.
- Upload any file from you to the target computer.
- Increase and decrease the sound-volume.
- Record sounds from the computer's microphone.
- Make click sounds every time a key is pressed.
- Download and deletion of any file from the target.
- Keys (letters) on the keyboard can be disabled.
- Password-protection management.
- Show, kill and focus windows on the system.

The ability to turn on a microphone is particularly threatening as this could permit the hacker the ability to listen to room audio and in effect "bug" the victim's room without detection.

Provided below, is a picture of what the "client" portion of the software looks like. It's what the remote user would use to control your system. What could be easier than "pointing and clicking" your way through another users PC?

BO GUI screenshot

How to Remove

The first five steps involve editing the Windows 95/98 registry. And although the steps are easy, I cannot be held responsible if a mistake is made. Please use caution.

Step 1.
type REGEDIT and hit ENTER

Step 2.
In the left window, click the "+" (plus sign) to the left of the following:

Step 3.
In the right window, look for a key that loads a file called "sysedit.exe".

Step 4.
In the right window, highlight the key that loads the file and hit the DELETE key. Answer YES to delete the entry.

Step 5.
Exit the Registry

Step 6.
Reboot your computer

Step 7.
After the computer has restarted, open Windows Explorer

Step 8.
Go to the WINDOWS directory and look for the "sysedit.exe" file. Once you've found the file, DELETE it.

Step 9.
Also within the WINDOWS directory, look for the "keyhook.dll" file. Once you've found the file, DELETE it.

Step 10.
Exit Windows Explorer and reboot your computer.

Congratulations, Master's Paradise has now been removed from your system.

Important Notes:
Because the trojan deletes and replaces Microsoft's SYSEDIT utility with the "server" portion, you'll have to either extract the original sysedit.exe from the CAB files, or copy it from another PC.

While Commodon Communications does not participate in or condone the activities of hacking. We recognize the need to educate persons who express an interest so they can better identify the activities associated and to better protect themselves and/or their organization. If you're interested in purchasing software for the purpose of learning the subject of hacking and Internet Security click here to visit our online store.

    © Copyright Commodon Communications. All rights reserved.