About the Setup trojan

http://www.netninja.com/files/SetupTrojan.zip

When run, the Setup trojan creates a hidden share of drive C:

It creates a Registry key named C$ as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\C$

and it places four entries in that key as follows:

"Flags"=dword:00000302
"Path"="C:\\"
"Remark"=""
"Type"=dword:00000000

Two things cause the share to be invisible.  The "$" at the end of the share
name renders the share invisible to the NET VIEW command and to Net Watcher's
shared folder listing.  The "Flags" value sets the share's "System" status;
the primary effect of which is that the familiar drive-in-hand icon does not
appear in the My Computer folder.

Nonetheless, the share is present and functional.

The share is not instantly available but takes effect on next reboot.
Machines sharing this system's network can then access the shared drive
without a password.  It can be done using the DOS "net" command as follows:

net use * \\[computer | IP]\c$

This will assign the remote shared drive to the next available letter on the
user's machine and grants full read/write access.

However, the share is not effectively hidden when in actual use.  If the user
of the "shared" machine runs Net Watcher -- a standard Windows utility,
present in virtually any networked Win95 box -- he will see the connection to
C$ and the name and user of the remote machine using his drive.

Also, if the machine with the hidden share is shut down while the remote user
is connected, Windows will warn the user of that connection and ask for
confirmation of the shutdown.

If, and only if, the system already has sharing enabled in the Dial-Up
Adapter's TCP/IP network protocol settings, the "Setup" share will grant
access to drive C: by way of the dial-up link.  The Setup trojan does not
enable sharing via the Dial-Up Adapter, therefore by itself it does not
create a "backdoor" over the Internet link.