Trojans are malicious applications that pose themselves as legitimate software in order to trick users to install them. Once on the victim's machine, it may run any number of malicious process to steal vital information or inflict damage to other software.
BackDoor.Ebnoy is an IRC Backdoor Trojan that allows a remote attacker to control the compromised computer and performs various malicious actions through Internet Relay Chat (IRC).
It adds False IP's to more than 50 popular antivirus companies urls in the Host file, disables antivirus notifications, firewall notifications, update notifications, and overrides firewalls. It also steals data from SQL Server and Mysql databases.
It drops oreans32.sys and libmysql.dll, where oreans32.sys is a component of a legitimate executable file protection system and in itself is not malicious. The file oreans32.sys is registered as a new system driver service named "oreans32", with a display name of "oreans32".
libmysql.dll is also a legitimate client API used to trace SQL statement sent by other applications.
BackDoor.Ebnoy creates the folder, %Windir%\system32\programs\.
These files are used for Transmission through P2P programs.
Copies itself to the %Windir%\system32\programs\ folder as the following filenames:
2 Find MP3 8.2.0.exe
Adobe InDesign CS 2.exe
Adobe keygen for photoshop indesign incopy SERIAL crack.exe
Adobe Photoshop CS 2.exe
Autocad 2002 Crack.exe
Autocad 2004 Crack.exe
Autocad 2005 Crack.exe
Autocad 2006 Crack.exe
BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe
Counter strike - cs full version.exe
Counter strike keygen WORKING FOR ONLINE STEAM.exe
Credit card generator.exe
Eric vd Vogt Gay Movie - Dutch homosexual fetish raped.exe
Fifa 2006 FULL with crack.exe
Fifa 2007 FULL with crack.exe
Free SMS Bomber.exe
Google hack tutorial for beginners.exe
HalfLife 2 WORKING Steam crack.exe
Hotmail account hacker in 30 minutes.exe
Microsoft Office Activation Crack.exe
Microsoft Office Professional Crack.exe
Microsoft Office Professional Serial.exe
Microsoft Office Professional Universal Crack without serial.exe
Microsoft Office Universal Activator v1.0.exe
MSN hacker - password stealer.exe
norton anti virus FULL NEWEST VERSION.exe
Norton AntiVirus 2005 crack.exe
Norton AntiVirus 2006 crack.exe
Norton antivirus crack.exe
Norton firewall 2006 crack.exe
psx2 - playstation 2 emulator.exe
UniVersal GSM unlocker for removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe
WinRAR 4 beta.exe
ZoneAlarm crack (keygen).exe
BackDoor.Ebnoy employs false messages like the one above to spread through IRC.
Large amount of Hijacked domains are placed in the Hosts file. Its probably better to delete the file itself than to fix each item.(and create a Backup)
File location is C:\Windows\System32\drivers\etc\hosts
To Correct Modified Registry Values:
1.Click on Start , click run.
2.Type "regedit" and press enter.
3.Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
4.Right Click on "AntiVirusDisableNotify" ,click on Modify , Type " 0 " in Value Data field in place of "1" and press Enter.
5.Right Click on "FirewallDisableNotify" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter.
6.Right Click on "FirewallOverride" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter.
7.Right Click on "UpdatesDisableNotify" , click on Modify , Type "0" in Value Data field in place of "1" and press Enter.
8. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" .
9. Right Click on "Shell" , click on Modify , Type "Explorer.exe" in Value Data field in place of " Explorer.exe msdhcprs.exe" and press Enter.
10. Restart computer.