CAFEiNi (1.1)
Server name: CAFEiNi
Version: 1.1
Different versions:  [0.8][0.9][1.0][1.1]
Tested: Yes, on Windows 95 and Windows NT
Server size: 162K
Server files: cafeini.exe
Server icon:

Infects: Windows 95/98/ME/NT/2000
Autoloads: Yes
Default port: 51966 TCP
Can port be changed: Yes

Server Features

  • Allow/disallow access to Appearance page in Display properties
  • Allow/disallow access to Background page in Display properties
  • Allow/disallow access to Config page in system properties
  • Allow/disallow access to Device manager page in system properties
  • Allow/disallow access to Display properties
  • Allow/disallow access to DOS prompt
  • Allow/disallow access to Find item on start menu
  • Allow/disallow access to Network properties
  • Allow/disallow access to Password properties in control panel
  • Allow/disallow access to Regedit.exe
  • Allow/disallow access to Run item on start menu
  • Allow/disallow access to Screen saver page in Display properties
  • Allow/disallow access to Settings item on start menu
  • Allow/disallow access to Settings page in Display properties
  • Beep
  • Block applications
  • Change Netscape and IE's start up page
  • Change owner, group or serial number
  • Change recycle bin name
  • Change resolution
  • Chat with server
  • Clip/unclip cursor
  • Connect to multiply servers
  • Control cursor
  • Control keyboard
  • Cursor freeze/unfreeze
  • Cursor makes circles
  • File manager
  • Freeze computer
  • FTP server
  • Get info
  • Get screen shot
  • Hang up modem connection
  • Hide/show start button
  • Hide/show task bar
  • Internet Explorer parental lock (Windows NT only)
  • Invert screen
  • Kill 20 different anti virus programs
  • Kill anti trojan programs
  • Kill windows with MICROSOFT in title
  • Key logger
  • Log off or shutdown windows
  • Loop beeping, cursor painting line and cursor quaking
  • Loop blurring, zooming, color pixels, darkening, black and white, flying balls, moving x or y, rolling x or y of the screen
  • Mess, hide and show, quake and shrink active window
  • Open/close Cd-Rom (Able to loop)
  • Open mail program with specific subject and message
  • Monitor on/off (Able to loop)
  • Power saver on/off
  • Read/write clipboard
  • Redirect port
  • Registry editor
  • Reverse X or Y on the screen
  • Run file
  • Screen saver on/off
  • Send error message
  • Send mail with server
  • Send text to active window
  • Send to URL
  • Set cursor position
  • Set time and date
  • Set volume
  • Set wallpaper
  • Show "The matrix has you..."
  • Swap mouse buttons
  • Task manager on/off
  • Un install server
  • Use all of memory
  • View/kill processes
  • View, close, hide, show, minimize, maximize, invert colors, always on top, focus, change size, change position, change title bar of any running windows

 
Comments 
CAFEiNi 1.1 adds even more features then the previous version. The new features are mainly access features. These new features can be combined with previous features, to do things such as changing the computer’s wallpaper and then denying access to the change “background pages” in the display properties window. On the bright side this version has an uninstall feature which makes removal easier if the server is not password protected. CAFEiNi 1.1 infects by picking a random auto-loading program and taking its place. The server renames the original auto-loading file with a random or pre chosen, possibly polish, name. The server then renames itself the original file name and from then on takes the place of the first program. CAFEiNi 1.1 fixes a bug when infecting and it replaces the rundll32.exe program. 

How To Remove 
Quick fix: Telnet to the server and type "uninstall"
Manual removal: 

  • Find all the files auto loading with Windows. To do this read the values of every key in the registry located at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run, RunOnce, RunServices and RunServicesOnce. Also the values of every key in the registry located at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run, RunOnce, RunServices and RunServicesOnce
  • Go to the directory of the every auto loading program found in the previous step. If the auto loading program is about 162 Kilobytes then proceed to the next step.
  • If this file has this icon:  then proceed to the next step. If the icon is not you can continue with the previous step or proceed to the next step (Icons can be changed by other people.) .
  • Search for any files in the same directory with names like bygotit.exe, hemany.exe, mutihaka.exe, pazymi.exe or wilokyl.exe. If you find any such files then proceed to the next step. If not go all the way back to the second step.
  • Close the file that is currently auto loading. If you can not close it then boot in DOS. Delete the file that is currently auto loading (this would be CAFEiNi) and rename the original file (this would be the strangely renamed file) to the original name. Example that we had: RUNDLL32.EXE was loading with windows and actually CAFEiNi. We closed RUNDLL32.EXE. Then we found pazymi.exe which was the real RUNDLL32.EXE. So, we deleted the fake RUNDLL32.EXE and renamed pazymi.exe back to RUNDLL32.EXE

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.