Deep Throat
Summary
Deep Throat is a hacker's remote administration tool, much like the infamous Back Orifice and NetBus tools. Deep Throat allows a hacker to access data and gain control over some Windows functions on remote system.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Deep Throat tool has client and server parts. The server part is installed on a remote system to be accessed. The server part can be dropped to a TEMP directory with a random name by a special dropper.
On execution the server part installs itself to Windows directory and it will be executed automatically during next Windows startup. The execution command for the server part is written to the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If Deep Throat server part is released by a dropper it is the dropper that modifies the registry.
The server part hides its process name in Windows task manager. Access to the running server part file is denied by Windows so it can't be removed easily while Windows is running.
The client part allows to control the remote computer system where the server part is installed and active. The client part has a dialog interface which allows to perform tricks on remote system and to receive/send data, text and other information (some features are not implemented in version 1.0).
The client and server parts use TCP/IP protocol to communicate with each other. The client part has an option to scan a range of IP addresses to search for active server part and connect to it.
Below is the list of Deep Throat features:
1. Open and close CD-ROM tray 2. Show a message box on remote system with optional text 3. Hide or show Windows taskbar 4. Start FTP server on port 21 - upload/download files(not implemented in v1.0) 5. Capture screen to JPG image and receive it from remote system 6. Open optional URLs with browsers on remote system 7. Turn monitor on/off - send powersave mode commands 8. Steal passwords (not implemented in v1.0) 9. Run any program on target system 10. Run any program on target system in invisible mode 11. Reboot Windows 12. Port scanner - to scan for computers with DT server running 13. Ping remote system - to check if there's a running DT server 14. Get remote system info
The server and client parts of Deep Throat are packed with NeoLite Windows EXE files compressor that decreases their size considerably and also makes detection of this trojan more difficult.
The client part tries to install two TTF fonts on startup, but if Windows is installed to directory other than C:\WINDOWS\ the fonts are not installed and the main dialog window looks crappy.
Version 1.0 of Deep Throat has bugs that might crash Windows.
See: Back Orifice, NetBus