Just your weekly friendly virus warning {=o)
From: ]\\\\[][G}{T§TÖ®]v[ <NightStorm_Draco_@HOTMAIL.COM>
To: <CREED-DISCUSS@WINDUPLIST.COM>
Date: Fri
20 Apr 2001 18:45:19 -0400
TAKEN FROM http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINMITE.10  (Just a note.... this is a fun one to have on your system... anyone with remote access using this trojan could basically turn your computer into a 40LB Paper-weight...)
TROJ_WINMITE.10
Virus type:   Trojan
Destructive:  
Aliases: Backdoor.WindowsMite, BackDoor-EB, Windows Mite Server, WINMITE.10
Description: This memory-resident backdoor Trojan allows a remote hacker access to an infected system. It appears as a Windows registry checker program, SCANREGW.EXE in an infected system. It compromises network security.
Solution:
Run REGEDIT.EXE and delete the below registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\
DirectOpenGLDirectX=dword:00000000
 
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectOpenGL\
SettingsAPPID=dword:0000fffa
Click Start|Shutdown|Restart in MS-DOS mode
Obtain a copy of SCANREGW.EXE from a clean backup or from a clean system.
Copy the file to a clean diskette.
In the command prompt, type the following to change from the current drive to A:
A:
Copy the clean SCANREGW.EXE to the Windows directory. Type the following, pressing the enter key after every line:
copy scanregw.exe c:\windows
If asked to overwrite, press Y. If successful, the following should be displayed:
1 files copied
Type the below command and then press the enter key to return to Windows:
exit
Scan your system with Trend antivirus and delete all other files detected as TROJ_WINMITE.10. To do this, Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall ( http://housecall.antivirus.com/ ), a free online virus scanner.
Technical Details
Size of virus: 338,944 Bytes 
Details:
Upon execution, the server side of this Trojan overwrites the original Windows registry checker program in the Windows directory, with a copy of itself as SCANREGW.EXE. Since Windows always starts the Windows registry checker, the Trojan file executes at every Windows session. It also creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\
DirectOpenGLDirectX=dword:00000000
 
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectOpenGL\
SettingsAPPID=dword:0000fffa
The Trojan then works in the background as a service process that is invisible in the task list.
The client side of this Trojan provides a remote hacker with an interface that controls a computer running the server side of this program. A hacker specifies an Internet Protocol address of an infected system and the Transmission Control Protocol (TCP) port where the server operates. By default, the TCP port is 65530.
When a connection has been established, the remote hacker may do the following to an infected system running the server side
- Close/Remove the server
- Upload/download/delete files
- Browse the infected user's directory
- Obtain the time
- Obtain the users ICQ UIN
- Close/open CD-ROM drive
- Disable/enable the system menu
- Logoff/shutdown/restart machine
- Hide/show/remove taskbar
- Disable/enable mouse
- Turn monitor on/off
- Obtain username and Windows username
- Delete Windows system files such as win.com, user.dat, system.dat
- Crash the system
- Obtain password list