Threat Description

Cabrotor

Details

Aliases:Cabrotor, Backdoor.Cabrotor.10.a, Cabronator
Category: Malware
Type:
Platform: W32

Summary



Cabrotor is backdoor, allowing an attacker to control the machine where it runs. The trojan itself is a Windows PE EXE file written in Delphi.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The original trojan package contains three main executable files:

CaBrONaToR.exe - client to send commands to remote server
 CaBrONeDiT.exe - server editor to modify default server settings
 8======D.exe - server (trojan itself)
 

When run, the backdoor code copies itself to the Windows directory and registers itself in the system registry in the auto-run section. In different backdoor versions the backdoor EXE name and registry keys are different. The known variant has:

Executable name:

ASDAPI.EXE

The registry key entries it creates are located in:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 

And their names are:

LoadPowerProfile

The trojan then opens a connection to its master's IRC channel and waits for its master's commands.

The backdoor allows the attacker to invoke any of the following commands:

Reports computer information (Windows version, CPU type, UserName, CompanyName)
 Open/closes CD drive
 Reports directories and file names
 Runs a local file or command
 Send information: RAS, MS Messenger and .NET services
 Exits Windows
 Downloads a requested file
 Performs DoS attack to a requested victim address
 Terminates itself
 


Detection


Detection for Cabrotor worm is available in the following FSAV updates:
Detection Type: PC
Database: 2002-07-22_01



Technical Details: Kaspersky Lab


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More