CAFEiNi (1.0)
Server name: CAFEiNi
Version: 1.0
Different versions:  [0.8][0.9][1.0][1.1]
Tested: Yes, on Windows 95 and Windows NT
Server size: 150K
Server files: cafeini.exe
Server icon:

Infects: Windows 95/98/ME/NT/2000
Autoloads: Yes
Default port: 51966 TCP
Can port be changed: Yes

Server Features

  • Beep
  • Block applications
  • Change owner, group or serial number
  • Change resolution
  • Clip/unclip cursor
  • Connect to multiply servers
  • Control cursor
  • Control keyboard
  • Cursor freeze/unfreeze
  • Cursor makes circles
  • File manager
  • Freeze computer
  • FTP server
  • Get info
  • Get screen shot
  • Hide/show start button
  • Hide/show task bar
  • Invert screen
  • Kill 20 different anti virus programs
  • Kill anti trojan programs
  • Kill windows with MICROSOFT in title
  • Key logger
  • Log off or shutdown windows
  • Loop beeping, cursor painting line and cursor quaking
  • Loop blurring, zooming, color pixels, darkening, black and white, flying balls, moving x or y, rolling x or y of the screen
  • Mess, hide and show, quake and shrink active window
  • Open/close Cd-Rom (Able to loop)
  • Open mail program with specific subject and message
  • Monitor on/off (Able to loop)
  • Power saver on/off
  • Read/write clipboard
  • Redirect port
  • Registry editor
  • Reverse X or Y on the screen
  • Run file
  • Screen saver on/off
  • Send error message
  • Send mail with server
  • Send text to active window
  • Send to URL
  • Set cursor position
  • Set time and date
  • Set volume
  • Set wallpaper
  • Show "The matrix has you..."
  • Swap mouse buttons
  • Task manager on/off
  • Un install server
  • Use all of memory
  • View/kill processes
  • View, close, hide, show, minimize, maximize, invert colors, always on top, focus, change size, change position, change title bar of any running windows

 
Comments 
CAFEiNi 1.0 has more features then the previous version but it crashes when we ran it. It comes with a configure program but that does not seem to work either. The server can display a fake error message when run (the default is "Zip file is damaged, truncated, or has been changed since it was created."). One of the anti trojan programs this trojan removes is Trojan B' Gone and is the first trojan to do this. Once on a computer, the server looks to see whatever programs are already auto-loaded in the registry with Windows and randomly selects one, which it then renames using a random or pre chosen, possibly polish, name. The server then renames itself using the file name of the program it initially selected. From this point on, it takes the place of the first program. Also note that the server port can be set to random every time it starts. 

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  • Find all the files auto loading with Windows. To do this read the values of every key in the registry located at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run, RunOnce, RunServices and RunServicesOnce. Also the values of every key in the registry located at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run, RunOnce, RunServices and RunServicesOnce
  • Go to the directory of the every auto loading program found in the previous step. If the auto loading program is about 150 Kilobytes then proceed to the next step.
  • If this file has this icon:  then proceed to the next step. If the icon is not you can continue with the previous step or proceed to the next step (Icons can be changed by other people.) .
  • Search for any files in the same directory with names like bygotit.exe, hemany.exe, mutihaka.exe, pazymi.exe or wilokyl.exe. If you find any such files then proceed to the next step. If not go all the way back to the second step.
  • Close the file that is currently auto loading. If you can not close it then boot in DOS. Delete the file that is currently auto loading (this would be CAFEiNi) and rename the original file (this would be the strangely renamed file) to the original name. Example that we had: RUNDLL32.EXE was loading with windows and actually CAFEiNi. We closed RUNDLL32.EXE. Then we found pazymi.exe which was the real RUNDLL32.EXE. So, we deleted the fake RUNDLL32.EXE and renamed pazymi.exe back to RUNDLL32.EXE

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.