GirlFriend Backdoor Detection

critical Nessus Plugin ID 10094

Synopsis

The remote host has a backdoor installed.

Description

The remote host has the GirlFriend backdoor installed. This backdoor allows anyone to partially take control of the remote system. An attacker could use it to steal your password or prevent your system from working properly.

Solution

Open regedit to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and look for a value named 'Windll.exe' with the data 'c:\windows\windll.exe'. Reboot to DOS and delete the 'c:\windows\windll.exe' file then boot to Windows and remove the 'Windll.exe' registry value.

Plugin Details

Severity: Critical

ID: 10094

File Name: girlfriend.nasl

Version: 1.28

Type: remote

Family: Backdoors

Published: 7/9/1999

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: Settings/ThoroughTests

Detections

Analytics