Acid Kor

· Overview ·
· Origins ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Vendor Notes:	From the doc: 'Why his name is Acid koR? Well, because i learned a lot from the Acid Shivers Source code and with it, i wrote my own, better (you can say it so: several new functions added, like transfer files, msgboxes, replayable msgboxes etc.) than Acid Shivers. And it won't be caught nor from any AV, nor from any Anti-Trojan (like The Cleaner).' from the doc: ' Well, here it is at last, Acid koR Why his name is Acid koR? Well, because i learned a lot from the Acid Shivers Source code and with it, i wrote my own, better (you can say it so: several new functions added, like transfer files, msgboxes, replayable msgboxes etc.) than Acid Shivers. And it won't be caught nor from any AV, nor from any Anti-Trojan (like The Cleaner). Sorry guys, i didnt make it, to let it run on a negativ port. The port is 20002. To be used with TelNet. When you want transfer files, youll need the File GUI included in the package! Im too lazy to write help here, so open AcidkoR, connect with loopback to it, and write "HELP" if you want to know anything and you have a victim. Use AsPack to compress the AcidkoR server. It isnt good code :( Well, im modifiing it, and i work hardly on a ICQ Notifification (dont included in the AcidkoR). Bye, koR 4.4.2k Since i did not resolve the problems with how to rename the files, i decided that when you send a file to the victim, it will be saved in \windows\file64.exe I decided .exe, because normally you dont send other files (think so) The server size is now ~75 kb. I used the new AsPack to reduce it. Added a new function, to copy: msvbvm60.dll mswinsck.ocx comctl32.ocx comdlg32.ocx automatticaly in the win\system dir. (the runtimes the prog needs) Ideal for a .zip file The program is still a little buggy, send any info to: koR@gmx.at Commans: DIR - List Contents of Current Directory LS - List Contents of Current Directory CD - Change To Specified Directory/Drive CLS - Clear Screen KILL - Kill Process by PID (Shown in PS) PS - Shows Running Processes DEL - Deletes Specified Files PORT <#> - Change Port Acid koR Listens on (Until Next Reboot) DESK - Change to default Windows Desktop folder RECENT - Change to Windows Recent folder WSFTP - Change to default WS_FTP folder VERSION - Show Version Number of Acid koR DRIVES - Show physical, RAM, CD-ROM, and Network drives BOUNCE - Relay connection to host on port, Control + C to abort. S - Sendkeys to active window MACADDR - Show ethernet stats and physical address NAME - Rename the users computer ENV - Shows DOS Environment variables BEEP <#> - Beeps the specified number of times CDROM - Type 'CDROM' for more information DIE - Terminate Acid koR LABEL - Rename a specified disk drive SHUTDOWN - Type 'Shutdown' for more information DRIVE - Retrives information on specified drive KS - Disconnect a session by socket index show in 'STATUS' TIME - Shows users current system time DATE - Shows users current system date INFO - Shows some general system information about host and user STATUS - Show the state of all sockets used since last reboot CAT - Retrieve specified file GET - Retrieve specified file BCAT - Retrieve specified file in hex form BGET - Retrieve specified file in hex form CMD - Run the specified shell command SH - Run the specified command and display results (may lock up). MKDIR - Make a new directory RMDIR - Remove a directory and all files and subdirectories inside. CP - copy file1 to file2 COPY - copy file1 to file2 HIDE - Hide a task from control + alt + delete. SHOW - Show a task from control + alt + delete. RMSG - inputbox (you will receive the reply) MSG - Message Box Send a file through the File GUI - SEND c:\path\of\file.exe Listens for the File GUI - LISTEN RECV - You cannot receive through telnet. go into the file GUI
Alias:	Backdoor.AcidShiver.kor
Category:	RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
Similar Pests:	RAT
Origins
Author:	KoR
Programming Language:	Visual Basic
Date of Origin:	October, 2000
Operation
Default Port:	20002 TCP More info about ports.
Storage Required:	Acid Kor: at least 5 KB
ScreenShot:

Acid Kor

Risks
Detection Issues:	Difficult to detect by design. May hide from process list. May install with variable names in variable locations.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Follow these steps to remove Acid Kor from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
	Stop Running Processes: Kill these running processes with Task Manager: systemroot+\msgsvr64.exe
	Remove Files: Remove these files (if present) with Windows Explorer: readme.txt systemroot+\msgsvr64.exe
Research
File Analyses:	Acid Kor: readme.txt
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	January 24, 2005