Shadow Phrye (2.12.42)
Server name: Shadow Phrye
Version: 2.12.42
Different versions: NA
Tested: Yes, on Windows 95 and Windows NT
Server size: 199K
Server files: trance.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key: WinZipp and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Key: INET Wizard
Default port: Random TCP
Can port be changed: No

Server Features

  • Delete file
  • Disable/enable short cuts
  • Get system information
  • Hide/show task bar
  • Logout, reboot or shutdown
  • Open/Close CD-Rom
  • Port redirect
  • Print
  • Run file
  • Send keys
  • Send message
  • Send to URL
  • Show picture of a dragon with "Big brother is watching you"

 
Comments 
Shadow Phrye is an older trojan. When Shadow Phrye is started, it chooses a random TCP port to listen for connections. Then the server goes online to #shadowphrye on IRC and broadcasts your IP and what port it has chosen to listen on. Even though the readme file for Shadow Phyre says it is impossible to manually remove, it is not. As of November 2000 we checked the #shadowphyre channel and it exists. However there were no servers broadcasting their IP and port to this IRC channel. 

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Remove the WinZipp key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and the INET Wizard key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
  2. Reboot the computer or close whichever of the following is running: trance.exe, WinZipp.exe or inet.exe.
  3. Delete the trojan files inet.exe and WinZipp.exe  both in the windows system directory. 

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.