Portal of Doom Backdoor Detection

critical Nessus Plugin ID 10186

Synopsis

The remote host is infected by a Trojan horse.

Description

Portal of Doom is installed.

This backdoor allows anyone to partially take the control of the remote system.

An attacker may use it to steal your password or prevent your from working properly.

Solution

open the registry to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices and look for the value named 'String' with the data 'c:\windows\system\ljsgz.exe'. Boot into DOS mode and delete the c:\windows\system\ljsgz.exe file, then boot into Windows and delete the 'String' value from the registry.
If you are running Windows NT and are infected, you can kill the process with Task Manager, and then remove the 'String' registry value.

Plugin Details

Severity: Critical

ID: 10186

File Name: portal_of_doom.nasl

Version: 1.30

Type: remote

Family: Backdoors

Published: 7/9/1999

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: Settings/ThoroughTests