Fighting Spyware, Malware and Adware one File at a Time.
Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

Terms of Use

Acid Shivers

Overview

Summary

 The source code to the Windows trojan called 'Acid Shiver' that covered most of Efnet last year has been released. The source code is all Visual Basic 5.0 (SP3), and not much effort was put into organization. It had been distributed through 'WaReZ' DCC bots, and had over 7000 users within 2 months. It was diguised as a million different applications, the Setup.exe file in different programs was replaced by the trojan, which would install itself into the registry on first use. As soon as the program is run, it registers its process as a 'Windows Service', thus removing it from all task lists. It waits until an active internet conection is established (by attempting connections to an array of SMTP servers), and then e-mails the creator with the random TCP port number it listens on, the time, and a large amount of sensitive information resident on the victims hard drive. The creator then connects via telnet to the specified port and is given a prompt that looks like a DOS shell. Any command can be executed, with the results shot back across the tcp connection, network topology can be shown (net * comands), files may be downloaded, the deployer may "bounce" through the victim to another host, and system settings/registry entries can be changed. The victim can use a netstat to see the listening port/connections. It loads automatically through the HKLM/M$/Windows/Current Version/Run Services, Run, Run Once, and Run Services Once entries. If it detects another copy running it exits. The file size for the exe changed depending upon the exe-packer used, and any hex-editing done by the deployer. Among the IRC operators infected were _cls_ and saralee, along with some other high profiles on Efnet (among the hacking/warez community). - elessdee, Bugtraq List

Vendor Description

 Author's summary: "Alright this trojen is pretty cool, it runs on a random tcp port each time it's started and it sends an email to the infector, telling them the info. To connect to it, you need to connect via telnet on the specified port. Everything is command line based but it's still a very good trojen. Btw if you add a cool feature please remeber this is an open source project..." Functions - Lists most of the commands (description of command) - Hide a task from control + alt + delete - Show a hidden task in control + alt + delete - List Contents of Current Directory - List Contents of Current Directory - Change To Specified Directory/Drive - Clear Screen - Kill Process by PID (Shown in PS) - Shows Running Processes - Deletes Specified Files - Change Port Acid Shiver Listens on (Until Next Reboot) - Change to default Windows Desktop folder - Change to Windows Recent folder - Change to default WS_FTP folder - Show Version Number of Acid Shiver - Show physical, RAM, CD-ROM, and Network drives - Relay connection to host on port, Control + C to abort - Sendkeys to active window - Show ethernet stats and physical address - Rename the users computer - Shows DOS Environment variables - Beeps the specified number of times - Type 'CDROM' for more informationv - Terminate Acid Shiver - Rename a specified disk drive - Type 'Shutdown' for more information - Retrives information on specified drive - Disconnect a session by socket index show in 'STATUS' - Shows users current system date - Shows some general system information about host and user - Show the state of all sockets used since last reboot - Retrieve specified file - Retrieve specified file in hex form - Run the specified shell command - Run the specified command and display results (may lock up) - Make a new directory - Remove a directory and all files and subdirectories inside - Copy file1 to file2

Alias

 Acid Shiver, Acid Shiver [McAfee], Acid Shiver.c, Backdoor.AcidShiver.Kor [Kaspersky], Backdoor/AcidAhiver.Kor.B [Computer Associates], PWS-Shivers, security risk or a "backdoor" program [F-Prot], Trojan.PSW.AcidShiver, Win32.AcidShiver.Kor [Computer Associates], Win32/AcidShiver.Kor trojan [Eset],

Category

 RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.

Backdoor:  A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Password Capture:  A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.

Trojan:  Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Variants

   Acid Shiver Release 5.00 (Public Open Source) ·  Acid Shivers e ·
 

Origins

 

Author

 Green Applet

Others By This Author

  Acid Shiver Release 5.00 (Public Open Source) · Acid Shivers e · Modified Acid Shiver Server · Modified Masters Paradise · NetBus Hack 1.1 ·

Vendor

 LEENTech Corporation

Programming Language

 Visual Basic. Requires MSwinsck.ocx, MSvbvm50.dll, and Comdlg32.ocx

Date of Origin

 Variants from November, 1998 to May, 2002
 

Detection and Removal

Manual Removal

 Follow these steps to remove Acid Shivers from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

 Stop Running Processes:

Kill these running processes with Task Manager:



Remove Files:

Remove these files (if present) with Windows Explorer:



 
AcidHead1.00  AcidKor  AcidReign  AcidReign2.0  AcidShiverRelease5.00(PublicOpenSource)  AcidShivers  AcidShiverse  AcidTrojanHorse  AcidTrojanHorse1.1  AcidTrojanHorse1.1b  
 
Site Map 2006 © Copyright DatabaseofSpyware.com. All rights reserved. Terms of Use
Another Proud Thor Schrock Development