Hack'a'tack
Server name: Hack'a'tack
Version: 1.12
Different versions: NA
Tested: Yes, on Windows 95 and Windows NT
Server size: 606KB
Infects: Windows 95/98/ME
Autoloads: Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key: Explorer32

Server Features

  • Client can upload it's IP to an FTP server. When the server is online it will look up the client's IP from the file the client put on the FTP server and will instruct the 
  • client to connect to the server's current IP. 
  • Control input devices (mouse/keyboard) 
  • Control running processes 
  • Hide/show task bar (also in intervals) 
  • Logging of all passwords/decoding of ICQ passwords 
  • Make screen shot (quality can be adjusted) 
  • Open/close cd-rom (also in intervals) 
  • Provide info about computer it's running on  
  • Put monitor in standby mode/get it out of standby mode (also in intervals) 
  • Send messages & chat 
  • Send text to focused windows (also in intervals) 
  • Shutdown/reboot/logoff/poweroff 
  • Upload/downloads/delete/execute files 
  • View keystrokes (realtime & offline) 
  • View/adjust display setting 
  • View/edit clipboard 

  
Comments 
Every two minutes, the server tries to get a file from: http://members.xoom.com/HaTFTP/ip.txt I haven't had the time to figure out the use of this, perhaps this has something to do with the "Transmit IP" feature of the client, or perhaps this is a stealth "feature" built-in by the authors of the trojan. The location is hard coded into the server-executable. (NOTE: the file is no longer there) The client opens a port at 31788 (TCP). This is probably done so the server can contact the client when it's online. (see features) The server is coded in Delphi and uses the IP*Works!library available from http://www.dev-soft.com 

How To Remove 
Quick fix: no quick fix programs
Trojan B' Gone plugin: None yet.
Manual removal:

  1. Remove the Explorer32 key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This can be done with regedit or any other registry editing program.
  2. Reboot the computer or close Expl32.exe.
  3. Delete the trojan file Expl32.exe in the windows directory
 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.