This page created with Cool Page.  Click to get your own FREE copy of Cool Page!

Jan P Kajander  +portals

Matters found on this machine 1 of millions..
da patata planted to millions of users..

Inserted  with windows versions delivered at shopchains bundled software without proper
licence corrupted backdoor? eg like a t-junction at the piratized (privatized) telcos?




Backdoor.DSNX is a Backdoor Trojan Horse that can give its creator access to
your computer. Like many other Backdoor Trojans, Backdoor.DSNX is
controlled by its creator using IRC channels.

Also Known As:  Backdoor.DSNX.05
Type:  Trojan Horse
Infection Length:  57,344 bytes
Systems Affected:  Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP,
Windows Me
Systems Not Affected: 
Linux, Macintosh, OS/2, UNIX


Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Threat Metrics



Payload Trigger: Running the Trojan.
Compromises security settings: Allows for unauthorized access to a computer.

When Backdoor.DSNX is run on a computer for the first time, it does the following:

Copies itself to %System% folder using various filenames.
Some variants use a filename of the form Win????.exe, where the ???? are four random alphanumeric characters.
Some use the name of a valid system .dll file, but with a .exe extension instead of a .dll extension.

NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

Adds the value:

WinDSNX     %System%\Win????.exe

to the registry key:


so that the Trojan runs each time you start Windows.

Creates a copy of the original file that it dropped, and then deletes the
original file without displaying any message. This is
done to conceal the Trojan's actions.

When Backdoor.DSNX runs, it logs onto certain IRC channels to inform
its creator of the compromised system,
allowing him/her to remotely manipulate your computer and
perform actions, such as uploading and running files on it.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

To remove this Trojan, delete all the files detected as Backdoor.DSNX and remove the changes that it made to the registry.

Removing the Trojan

Run LiveUpdate to make sure that you have the most recent virus definitions.
Start Norton AntiVirus and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files."
Run a full system scan.
Delete all the files detected as Backdoor.DSNX.

Editing the registry

CAUTION: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the keys specified keys only. Read the document, "How to back up the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to the following key:


In the right pane, delete the following value:

WinDSNX     %System%\Win????.exe

Click Registry, and then click Exit.

Additional information:

Possible system changes
If the Trojan was run and a hacker executed files on the computer, it may be difficult to determine exactly what was done, even after the Trojan was removed. If you are familiar with your operating system and with using system repair or system checking tools, we suggest that you fully check the system for any of these modifications and reverse them. Otherwise, consider re-installing the Windows.

How the Trojan uses IRC
The Trojan can contain an IRC client of its own that is activated when the Trojan is run. It logs onto a hard-coded IRC channel that the hacker monitors. This means that the hacker can chat with the Backdoor Trojan that is running on the infected computer. The Backdoor Trojan not only provides information about the infected computer, it also listens for commands from the hacker.

For example: If a hacker chats the words "get password," then the Backdoor Trojan recognizes that as a command and reacts by searching the computer for stored passwords. The Trojan will report to the hacker by chatting the results.

For an example of such commands, read the Backdoor.Kaitex writeup.

Revision History:

August 20, 2003: Included reference to Win????.exe filenames.
May 20, 2002: Included the "Additional information" section.


USERS at 6/2 2006 using or hijaaking your connection

| Hop |  | IP Address      | Node Name                                | Location  | Tzone  | ms  | Graph      | Network                                                     |
| 0   |  |  | pc-09                                    | *         |        |     |            | Multiprotocol Service Provider to other ISP's and End users |
| 1   |  |    |                   | ?(Greece) | +02:00 | 287 | ---x-----  | Multiprotocol Service Provider to other ISP's and End Users |
| 2   |  | |                        | ?(Greece) | +02:00 | 274 | ---x-----  | Multiprotocol Service Provider to other ISP's and End Users |
| 3   |  |    | | ?(Greece) | +02:00 | 261 |  --x-----  | Multiprotocol Service Provider to other ISP's and End Users |
| 4   |  |     |                 | ?(Greece) | +02:00 | 261 |  --x-----  | Multiprotocol Service Provider to other ISP's and End Users |
| 5   |  | |   | ?(Greece) | +02:00 | 241 | ---x----   | Multiprotocol Service Provider to other ISP's and End Users |
| 6   |  | |           | ?(Greece) | +02:00 | 241 | ---x----   | Multiprotocol Service Provider to other ISP's and End Users |
| 7   |  |  |                               | ?(Greece) | +02:00 | 254 | ---x------ | Multiprotocol Service Provider to other ISP's and End Users |
Roundtrip time to, average = 254ms, min = 74ms, max = 693ms -- Feb 6, 2006 4:27:24 AM
????? latency -
Overload/?????a se router t?? Tellas ? -
7 168 ms 166 ms 171 ms [212.205. 223.194]
8 173 ms 183 ms 179 ms [] ... - 70k - ?p????e???? Se??da - ?a????e? se??de?


Cookies placed

- Evolution.Simplicity. Relevance.
Multiplatform banner ad management available both as a stand-alone product and
as hosted service solution. Provides detailed tracking and statistics and ... - 12k - ?p????e???? Se??da - ?a????e? se??de?

Online marketing solutions: performance-based
affiliate programs ...
BFAST technology enables advertisers to build, track, manage, ... From recruiting
to compensating publishers, BFAST guides advertisers every step of the way ... -
21k - ?p????e???? Se??da -

Euniverse.Incredifind Removal
Euniverse.Incredifind Removal - This is a hijacker that redirects data All hijackers are scum and need to be removed immediately! ... - 14k - ?p????e???? Se??da - ?a????e? se??de? database: KeenValue
KeenValue is adware operated by ... Included in
software supplied by eUniverse sites, such as, ... - 9k - ?p????e???? Se??da - ?a????e? se??de?

Web Analytics by WebSideStory. WebSideStory is a leading provider of on-demand
Digital Marketing services, including Web Analytics and Web Site Statistics. - 19k - ?p????e???? Se??da - ?a????e? se??de?

HBX Web Analytics By ... - Active Marketing Suite - ...
HBX Analytics - On-Demand Web ... - Log In
?e??ss?te?a ap?te??sata ap? t?

Remove edge.ru4 cookie
XoftSpy can remove edge.ru4 cookie, and thousands of other Data Miner ...
Remove edge.ru4 cookie for Me. removal XoftSpy Detects & Removes this Item ... aspx?remove=edge.ru4%20cookie - 19k - ?p????e???? Se??da - ?a????e? se??de?

Spyware Encyclopedia - Browse, Tracking Cookie, 5/9/2003,, Tracking Cookie,
5/13/2003, Rub, Tracking Cookie, 12/12/2003, Rub ... browse.aspx?let=R&cat=Tracking%20Cookie - 34k - ?p????e???? Se??da - ?a????e? se??de?


Network Associates Inc.
Program Name, Risk Assessment. Cookie-Atwola. Corporate User, :, N/A. Home User,
:, N/A. Program Information. Discovery Date:, 02/23/2005. Origin:, Unknown ... - 33k - ?p????e???? Se??da - ?a????e? se??de?
this is where CNN gets it's ads from.
we can use the hosts file to redirect any requests to to
Unwelcomed cookies
ATWOLA.COM. I have never dealt with the company so why do they ... All day long,
this one unwelcomed cookie comes in, ATWOLA.COM. ... index10/Unwelcomed%20cookies.php - 12k - ?p????e???? Se??da - ?a????e? se??de?

Remove Atwola - Adware & Spyware Removal Instructions
Remove Cookie Atwola,Cookie removal instructions. ... Atwola is a cookie that is
used to track user browsing history. Some compute users reported that their ... - 15k - ?p????e???? Se??da - ?a????e? se??de?

and some tools

and finally
Microsoft Distributed Transaction Coordinator

Coordinates transactions that span multiple resource managers,
such as databases, message queues, and file systems.
If this service is stopped, these transactions
will not occur. If this service is disabled, any
services that explicitly depend on it will fail to start.

and getting zillions of backdoor version s of windows out there doing what?
Like backdoors in ATM taxoffice roundingfigures and controlling databases
with multipla and variable accounts in banks and so onnnnnnnnnnnnnnnn.
wonder why the dont answer on sweety questions????
remote dialers in ATM's??
Ip adress updating open to customers??
7 digit accounts transfers? what?
Wroung accounting in roundings and decimals tax-bank
and local shops
T-junctions all over the places???
Rental schemes for urlaub sector etc??
Having no money for electricity??
ala thats why we dont answer???  nada?

and now? time for othe op systems???

and kickbox out this
rotten behaviours??

and the guy steals as usual now my mails
ala privee with help of

And who wants to invest in above sick mess created? ala himself? da gonzo?

Jan P Kajander

for work...and contracts...