Hacker`s Paradise backdoor for Windows 95/98 and Windows NT (HackersParadise_Response)

About this signature or vulnerability

RealSecure Network, RealSecure Desktop Protector, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Sentry, RealSecure Guard, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS:

This signature detects a response on port 456/TCP from a "Hacker's Paradise" backdoor running on the network.

This signature replaces HackersParadise.

Default risk level

High risk vulnerability High

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Agent for Server: 3.6, RealSecure Server Sensor: 7.0, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Network MFS: 1.0, RealSecure Desktop: baseline

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Unauthorized Access Attempt

Vulnerability description

The Hacker's Paradise backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. With the Hacker's Paradise backdoor, an attacker can do the following:

access files on your computer
manipulate the appearance of your desktop
retrieve RAS (Remote Access Server) passwords (Windows NT only)

How to remove this vulnerability

To remove the Hacker's Paradise backdoor from your computer:

Stop the Hacker's Paradise program (Antihack.exe) from running. Open the task list by following the steps below for your platform:
- In Windows 95/98, press Ctrl+Alt+Del to display the Close Programs dialog box.
- In Windows NT, press Ctrl+Alt+Del, then click the Task Manager button to start the NT Task Manager.
Select Antihack.exe, and then click End Task. If Antihack.exe does not appear in the list, the backdoor is using a different file name and could be very difficult to locate. Refer to the steps below for using an antivirus program to remove the backdoor.
Find and delete the file Antihack.exe.

To use an antivirus program to remove the Hacker's Paradise backdoor:

If you do not have an antivirus program installed, download and install one of these virus scanners:
- Norton AntiVirus: http://www.symantec.com/nav/indexA.html
- McAfee VirusScan: http://software.mcafee.com/centers/download/
- Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/products/
Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the Hacker's Paradise backdoor from your computer.

References

ISS X-Force
Hacker`s Paradise backdoor for Windows 95/98 and Windows NT
http://www.iss.net/security_center/static/3113.php

CVE
CVE-1999-0660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0660