Institution

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Vendor Notes:

 From the doc: 'This 3.5KB (2KB compressed) uploader/downloader is the smallest auto-installing trojan that I know of. You can upload files or download urls. This makes a great backup trojan. Just bind it to your favorite full size trojan and you won't even know it's there until you need it. To create a new server open the client and click the 'E' at the top right corner.'
FWB: From the doc: 'This uploader is the perfect tool to manage a massive amount of computers. It injects it's threads into the windows shell allowing it to run without creating it's own process. Also this allows the server to access the internet as a trusted application. What could be more trusted than the windows shell? The server works with LANs, proxies and routers. The transfer manager is very intuitive. You can upload files to one or all servers. With a few clicks you can run your file on thousands of computers. Completely invisble! Files that end in '.exe' are ran, others are saved.'

Alias:

 Backdoor.Institon.11, Backdoor.Laphex, BackDoor-AJQ, TrojanDropper.Win32.Small.x

Category:

Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Variants:
  • Institution 1.1
  • Institution FWB 1.1
  • Institution FWB 1.2
    		•

    Similar Pests:

    		 Downloader

    Origins

    Author:

    		 Aphex

    Group:

    		 EES

    By This Group:

    		 Aphex Command Line Tools ·

    EMail:

    		 unremote@knology.net

    Date of Origin:

    		 Variants from August, 2002 to May, 2003

    Operation

    Default Port:

    		 5152 TCP More info about ports.

    Storage Required:
  • Institution 1.1: at least 213 KB
  • Institution FWB 1.1: at least 385 KB
  • Institution FWB 1.2: at least 873 KB
    		•

    Restart:

    		 HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Institution.exe"
    Institution FWB 1.1: HKLM\Software\Microsoft\Windows\CurrentVersion\Run "server"
    Autostarting Pests

    ScreenShot:


    Institution 1.0


    Institution 1.1


    Institution FWB 1.1


    Institution FWB 1.1


    Institution FWB 1.2


    Institution FWB 1.2

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove Institution from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 June 27, 2004