DeepThroat Backdoor Detection

critical Nessus Plugin ID 10053

Synopsis

A backdoor is installed on the remote Windows host.

Description

DeepThroat is installed on the remote host. This backdoor allows anyone to perform actions such as reading files, reading the registry and executing programs. A remote attacker could use this to completely control the system.

Solution

Use regedit or regedt32, and find 'SystemDLL32' in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This value's data is the path of the file. If you are infected by DeepThroat 2 or 3, then the registry value is named 'SystemTray'.

After cleaning the infected machine, you should manually find the root cause of the initial infection. Alternatively, you may wish to completely rebuild the system, as the backdoor may have been used to create other backdoors into the system.

See Also

http://web.archive.org/web/20100116213058/http://xforce.iss.net:80/xforce/xfdb/2290

Plugin Details

Severity: Critical

ID: 10053

File Name: deep_throat.nasl

Version: 1.30

Type: remote

Family: Backdoors

Published: 7/8/1999

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Required KB Items: Settings/ThoroughTests