'; echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "www.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "www.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "www.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "www.hp-telecom.com") { echo ''; echo 'hp-telecom'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

TCP Attack (Attack ID:700370)

Release Date:2009-09-27

Attack Name:Vampire 1.2 connection confirmation

OS Type:Window

Application Type

Severity:Critical

BUG ID

CVE ID

 

Description

CrazzyNet uses port 17499. CrazzyNet has a number of functions. Each function is associated with an attack signal string that is sent to the victim. Be suspicious of the following strings: Format: Function Name - String To Look For Add Line To File - addlin Overwrite File With Added Line - ovwlin Add Icon To Desktop - addico Beep Sound - sndbep Change Windows Control Text - chgawc Change Resolution - chgres Chat - chatwy Get Clipboard Text - clpget Crazy Mouse On - crazym;1 Crazy Mouse Off - crazym;0 Delete File/Directory - delete Remove Windows Functions - remwma;0 Download File - getfil Disable Ctl-Alt-Del - discad;0 Enable Ctl-Alt-Del - discad;1 Disable Windows Startup - wndsas;0 Enable Windows Startup - wndsas;1 Find Files - findfi Format - format Get Colors - getcol Get Computer Name - getcon Set Computer Name - setcon Get Date - gettad Set Date - settad Get Internet Explorer Start Page - geties Set Internet Explorer Start Page - chgies Get Mouse Position - getpos Set Mouse Position - setmse Get Clients Connected - geticc Get Computer Information - getinf Hide Picture - hidpic List Installed Programs - asplst Keylogger - keylog;1 Kill Mouse - kilmse List Files And Directories - nextdr List ICQ - icqlst List Of Apps - lstapp Make Directory - makdir Monitor On - onmoni Monitor Off - ofmoni Get Mouse Double Click Time - getdcl Set Mouse Double Click Time - setdcl Open CD - opencd Close CD - closcd Ping - *ICMP Packet* Echo this string of data Play Sound - playsd Print Text - printt Refresh File Listing - refdir Run File - runfil Screen Dump - screen Get Screensaver - getfon Set Screensaver - setscr Enable Scrolling Text - scroll Disable Scrolling Text - sscrol Send To URL - senurl Send Key - runkey Send Message - msgbox Set Clipboard Text - clpset Set Desktop Image - chgdes Show Clock - sclock;1 Hide Clock - sclock;0 Show Desktop Icons - deskic;1 Hide Desktop Icons - deskic;0 Show Start Bar - startb;1 Hide Start Bar - startb;0 Show Task Bar - sotask Hide Task Bar - hitask Show Task Bar Icons - staskb;1 Hide Task Bar Icons - staskb;0 Show Picture - shopic Start CD loop - cdloop;1 Stop CD loop - cdloop;0 Steal Passwords - geticp Swap Mouse Buttons On - swpmse;1 Swap Mouse Buttons Off - swpmse;0 Terminate Application - terapp Get Text Box Cursor Blink Rate - getret Set Text Box Cursor Blink Rate - setret Upload File - uplfil Change Volume - volume Warp On - warpon Warp Off - warpof List Windows - wndlst - Affected Systems: Windows 95/98/ME/NT/2000

Impact:
If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine.

Additional References:
http://www.pestpatrol.com/PestInfo/C/CrazzyNet.asp

 

Solution

CrazzyNet copies itself to C:\WINDOWS\Registry32.exe Delete the registry key Reg32=Registry32.exe found in HKCUU\Software\Microsoft\Windows\CurrentVersion\Run Delete Registry32.exe from Win.ini and System.ini If found, delete Registry32.exe and server.exe Make sure to keep your virus definitions updated on your anti-virus software.