Fighting Spyware, Malware and Adware one File at a Time.
Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

Terms of Use

Cang

Overview

Vendor Description

 From the doc: 'CANG is a respectable remote administration tool, not a Trojan Horse. Importantinformation about CANG that can't be determined from its command list is containedin this file. The command list is accessible from the client.
CANG supports privileges and passwords: this is why it is respectable, as wellas it having a user interface on the server (unless it is turned off forsimplification reasons).
For Network admins who need to work with firewalls, etc, the ports used by CANGare: 543 and 345.
Recommended supplementary software:
- WinVNC (Remote control as if you are at the other PC)
- Garth (Telnet server, allows you to control a DOS prompt)
CANG Works well with Netwatcher (Windows Remote Administration must be on).Netwatcher comes with windows.
When "local files" are referred to, it doesn't mean a file necessarily on theclients computer, but rather a pathname which the clients computer can understand.The pathname might point to a directory on a accessible network computer:\\examplecomputer\exampleshare\windows\test.tmpThe same goes for "remote files".
When copying a file using "get" or "put" or "copy" the destination filename isrequired as part of the destination path. When using the filebrowser, thedestination filename should only be appended to the path if it asked for: itis automated for the other commands.
For Registry function, HKEYS must be given in the format of:LOCAL_MACHINE
CURRENT_USER
etc. Actually there is a little flexibility: case is worked around, and theHKEY_ prefix will be accepted.
When saving to the registry, a special input box is put up on the clientto requested a third parameter: what to write. These are the only commandsthat require a third parameter, which is why we haven't created a thirdparameter box.
When filebrowsing, the filter defines what must be to one of the sides of thefilename to see it. File browsing is no more than a user friendly front endto the file commands.
The Server routinely checks to see if the file c:\disco.now exists. If it does,the client is disconnected. This allows a remote administrator to gain controlof the CANG server in "an emergency" (only one client can access the server).
For get_handle_match only one of the parameters is required, use "" for the other.

Alias

 Backdoor.VB.ec, Backdoor.VB.ec [Kaspersky], Backdoor.Win32.VB.ec [Kaspersky], Backdoor/VB.ec!Server [Computer Associates], Bck/VB.EC [Panda], Generic BackDoor.b [McAfee], security risk named W32/BackCang.A [F-Prot],

Category

 Commercial RAT: Any commercial product that is normally used for remote administration, but which might be exploited to do this without user consent or awareness.

Backdoor:  A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

 

Origins

 

Author

 Chris Graham

Programming Language

 Visual Basic. Compressed with UPX.

Date of Origin

 June, 2001
 

Detection and Removal

Manual Removal

 Follow these steps to remove Cang from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

 Stop Running Processes:

Kill these running processes with Task Manager:



Remove Files:

Remove these files (if present) with Windows Explorer:



 
Cancerbero.1000  Cancerbero.1000.C  Cancerbero.1500  Cancerbero.670  Candyman  Cang  Cannabis-4  Cannabis.A  Cannabis.B-Dropper  Cannabis_Boot  
 
Site Map 2006 © Copyright DatabaseofSpyware.com. All rights reserved. Terms of Use
Another Proud Thor Schrock Development