Home | About Us | Contact Us | Threats to your Security on the Internet | Products | Support | Online Store
RCT's & RAT's
What are they?
How do I detect them?
How many are there?
What ports do they use?
How do I Remove?
Acid Shivers
Acid Shivers (modified)
Back Orifice
Baron Knight
Big Gluck
Blade Runner
Bugs
Deep Back Orifice
Delta Source
Devil
Doly Trojan
Deep Throat
Deep Throat v2
Executer v1
Executer v2
Girlfriend
Hack 'a' Tack
Master's Paradise
NetBus
NetBus 2 Pro
NetSphere
Sockets 'de Troie
SubSeven (Sub7)
Whack-a-mole (NetBus)
WinCrash
Additional Resources
Latest News
Recommended Books
Recommended Links
Recommended Software
Sockets de Troie (French for "Trojan Sockets")
Sockets de Troie currently affects Windows 95/98 PC's.
The "server" portion is typically named "mschv32.exe".
Ports 5000 and 5001 (by default) are used to establish the connections between the "client" and "server".
Who is Responsible?
Unknown at this time...
There are two methods (that I know of) that Sockets de Troie can be unknowingly installed.
In the first, when the "server" portion is run, it shows an error dialog stating that SETUP32.DLL is missing. At the same time the "server" portion copies itself to WINDOWS\SYSTEM directory as MSCHV32.EXE and modifies the Windows Registry so it would be executed during every further Windows bootup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe
In the second, when the "server" portion is run, it shows an error dialog stating that ISAPI32.DLL is missing. The "server" portion copies itself three times to the WINDOWS\ and WINDOWS\SYSTEM directories under the following names:
c:\windows\rsrcload.exe
c:\windows\system\mgadeskdll.exe
c:\windows\system\csmctrl32.exe
The virus also modifies Windows Registry to make these files be executed on every further Windows bootup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoad
Rsrcload = C:\WINDOWS\Rsrcload.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesLoad
Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe
Provided below, is a picture of what the "client" portion of the software looks like. It's what the remote user would use to control your system. What could be easier than "pointing and clicking" your way through another users PC?
How to Remove
Forthcoming...
While Commodon Communications does not participate in or condone the activities of hacking. We recognize the need to educate persons who express an interest so they can better identify the activities associated and to better protect themselves and/or their organization. If you're interested in purchasing software for the purpose of learning the subject of hacking and Internet Security click here to visit our online store.
