294 GirlFriend backdoor 1.0 beta detection Backdoors 2005/01/04 Marc Ruef marc.ruef at computec.ch http://www.computec.ch computec.ch 1.1 tcp 21554 open|sleep|send ver\n|sleep|close|pattern_exists GirlFriend 98 The NASL script is Copyright (C) 1999 Renaud Deraison Configuration GirlFriend is installed. This backdoor allows anyone to partially take the control of the remote system. An attacker may use it to steal your password or prevent your from working properly. To remove GirlFriend from your machine, open regedit to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and look for a value named 'Windll.exe' with the data 'c:\windows\windll.exe'. Reboot to DOS and delete the C:\windows\windll.exe file, then boot to Windows and remove the 'Windll.exe' registry value. Approx. 45 minutes Yes Yes Yes High 8 8 9 8 High Nessus can check this flaw with the plugin 10094 (GirlFriend). CAN-1999-0660 10094 Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427 http://www.computec.ch