WinSATAN Backdoor Detection

high Nessus Plugin ID 10316

Synopsis

A backdoor is installed on the remote Windows host.

Description

WinSATAN is installed. This backdoor allows anyone to partially take control of the remote system. An attacker may use it to steal your password or prevent your system from working properly.

Solution

Use regedit and find 'RegisterServiceBackUp' in HKLM\Software\Microsoft\Windows\CurrentVersion\Run The value's data is the path of the file. If you are infected by WinSATAN, then the registry value is named 'fs-backup.exe'.

Plugin Details

Severity: High

ID: 10316

File Name: winsatan.nasl

Version: Revision: 1.24

Type: remote

Family: Backdoors

Published: 1/4/2000

Updated: 5/26/2016

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P