by prncipia
Released in March 2006
Genie is a simple Telnet backdoor program. -When Genie.exe executed, it opens port on 1179. -Creates a copy of itself as %System%\regmont.exe and %windir%\cprog.exe -And adds the follow values in the registry to be executed each time Windows starts. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" "RegMon" = " %System%\regmont.exe" "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" "Run" = "%windir%\cprog.exe" Genie commands: Mypass Change default passowrd Myport Change defult port Lock locking Taskman and registry editors (win2k/xp) UnLock Unlocking Taskman and registry editors (win2k/xp) Reset Reboot windows. Exit Close current connection. Vshutdown Shutdown the virus. Now to conect to remote host you have to type Telnet "targets_ip" 1179 then type "hello" to activate the program. And the last step is to ask you the password and by default password is "katerina". That's it. prncipia Server: dropped file: c:\WINDOWS\cprog.exe Size: 18,558 bytes c:\WINDOWS\system32\regmont.exe Size: 18,558 bytes port: 1179 TCP added to registry: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Run" data: C:\WINDOWS\cprog.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "RegMon" data: C:\WINDOWS\System32\regmont.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List tested on Windows XP March 10, 2006MegaSecurity