Backdoor.Darkmoon.F

Backdoor.Darkmoon.F may allow unauthorized access on infected system by creating a backdoor on TCP port 1328 and connects to the member.loveminim.com and execute commands remotely. When executed, Backdoor.Darkmoon.F will create a hidden alternate data stream using the file  system32:netde.exe.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Technical Details and Additional Information:

What can Backdoor.Darkmoon.F do to infected system?
- The Trojan will embed its code into the explorer.exe process.
- Creates a mutex so that only single instance of the Trojan will run.
- The program will create files and folders on the compromised system.

Malicious Files Added by Backdoor.Darkmoon.F
%Windir%\system32:netde.exe

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{93D836F9-E761-F95D-E69D-A6FB1F9718F7}\ “StubPath” = “%Windir%\system32:netde.exe…”

Backdoor.Darkmoon.F – Removal

Removing Backdoor.Darkmoon.F Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.

Anti-virus Tools

Scan with Norton Power Eraser:
Norton Power Eraser is a virus removal tool created by Norton Antivirus to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.

Online Virus Scanner:
Online virus scanner can provide scan and clean functions just like any anti-virus software without the need to install additional AV product. Perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate security software provider.