==============================================================================
           ..
.                    ..,..
,,.                 .--,..
,==-.              ,=:=,.
,=;/;=,           ,;/;=,
.-;%XX%:,       .:+$%;-.
,=+XM#@$-     =/$HX%:,
.-;%@##MH-    =%XH$/=.
  .=/X###M@.   ;$@H%:,
  .,=+####M,   /HMX;-.
   .-;###M##,. $@#+=,
   .,=##M.###. HM#;,.     E M E S I S E R A ' S
   .,-##M.####.@##=.
   .-:#M@..###,@##=,.           G U I D E
  .,=/M@H . ###M##;-.
.,=/%@H%  . M####%:,.
.,=;%XH$/   .HM###H+=,             T O
.-;+$HX%;   . HM##@$;-.
,:/%XX$+:      +H#MH+:,.
-:/+/:=,        -/$X%/-.
-==-.             ,://:,.
,,,.               .,==-.
..                   .,,.



########   #######  ######### #### ### #########  #######  #######  
#########
###  #### #### #### ####      #######  ###  #### #### ######## ####  ### 
####
######### ######### ####      ######   ###  #### #### ######## ####  ###  
###
###  #### #### #### ####      #####    ###  #### #### ######## ####  #######
###  #### #### #### ####      ######        #### #### ######## ####  ### ###
######### #### ####  ######   #### ###   ######   #######  #######  ###   
###
                                             ~~~~~~~~~ T R O J A N S 
~~~~~~~~~

==============================================================================

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
COMMON BACKDOOR TROJANS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~>>ASYLUM.BACKDOOR<<~

This backdoor hurts your PC's performance and also compromises your ISP
account, It also gives unauthorized access to your computer.

-Removal-
. Start-up in Safe Mode
. Edit your win.ini and system.ini files
. Remove references of wincmp32.exe
. In System.ini replace "shell=wincmp32.exe" to "shell=explorer.exe"
. Use regedit and search for any reference of wincmp32.exe, delete
  any references.
. Reboot your computer

~>>BROWNORIFICE<<~

Allows comprimising of files from the infected computer. Can also
perform malicious activity. This is a javascript backdoor trojan,
so simply restarting your computer will remove the trojan.

~>>WINCRASH<<~

Performs continuous IP scanning in the background which hurts PCs
performance. Allows remote creation, deletion, and execution of
files. Lock/unlock mouse pointer, Hide Taskbar, set volume control,
Disable Alt + Ctrl + Del, Log all pressed keys, Show all processes,
passwords, Create, set, delete registry keys.

-Removal-
. Boot into MSDOS and go to C:\Windows\System
. Delete the program server.exe
. Reboot into Windows
. Delete the server registry key MsManager @ HKEY_LOCAL_MACHINE\
  Software\Microsoft\Windows\CurrentVersion\Run
. Reboot, and check registry keys to make sure it didn't reinstall
  itself.


~>>BACK ORIFICE 2000<<~

The biggest part of Back Orifice is the fact that it is NT Compatible,
unlike the previous version that could not function under Windows NT.
It has the following abilities:
Ping and query the server
Reboot or lockup system
List cached and screen saver passwords
Display system information
Log keystrokes, view the keystroke log and delete the keystroke log
Display Message
Map a port to another IP Address, application, HTTP file server
List pors mapped by BackOrifice 2000
Send a file through another port
Shar a drive, unshare a drive, list shared drives, list shared
devices on a LAN, mapped a shared device, unmap a shared device
List all connections
Modify the Registry
Capture a screen shot
Receive and Send Files
Shutdown server, restart server, load plug-in, remove plug-ins

-Default Removal-
NOTE: Backorifice could be named anything, however the most common
is named UMGR32.

Open the registry with regedit
Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
Delete the value named UMGR32


~>>SUBSEVEN22<<~

A more high-tech trojan, SubSeven is able to hide, and change it's
name randomly. If you know the name of the suspecious file please
follow these directions for removal.
HLM=HKEY_LOCAL_MACHINE
-Removal-
Delete every occurrence of the Trojan Name's from Win.ini and System.ini,
as well as from "HKLM\Run" and "HKLM\Software\..\RunServices"
from the registry. This prevents the trojan from running during booting.

Terminate the Trojan horse's execution by using a utility that views running
processes. If you don't have one of these utilities restart your computer.

After restarting, delete all instances of the Trojan horse. If the trojan
cannot be deleted, then it is running. This may happen, if you didn't do
the first step.

Check HKCR\exefile\shell\open\command and HKCR\.dl registry keys. Remove
any references to the trojan exe-launcher dropped by the trojan horse.

Delete the variables with the name and data looking like junk from the
HKLM\Hardware\Data , HKLM\Hardware\Enum, or HKLM\Software\Microsoft\
DirectXMedia


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KEEPING YOUR COMPUTER SAFE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-How do I avoid getting infected by a Trojan?-
Simple...don't download from people you don't trust. Especially when
there is a special email sent to you. Most of the time the person that
trys to get you to download the trojan is saying that the program does
some awesome thing, usually something too good to be true. Remember
Trojans are named trojans because they trick you.

-How can I tell I have been infected by a trojan?-

Well the first thing you may notice is that odd behavior such as the
following may happen:
Random Reboots/Shutdowns
Files Dissappearing
Files Appearing
Monitor going Blank
Odd Messages
Disconnections from the Internet

Just because you maybe having one of these symptoms doesn't mean you
have a backdoor trojan. If you remember recent events you may remember
that you ran a program that "didn't work" because it didn't do anything,
this is a classic sign of a trojan or a password stealer.










