Backdoor Turkojan was written in Delphi. It uses as default the port 31693 for communication.
When Backdoor.Turkojan runs, it performs the following actions:
It may display a message.
Copies itself with a predefined name into the %Windir% or the %System% folder.
It creates the value:
"... value name" "path and file name"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when Windows is started.
It creates several values in the registry key:
HKEY_CURRENT_USER\Software\Turkojan
(for storing the Trojan configuration data)
On Windows 95/98/Me, the Trojan registers itself as a service process in order to hide itself from the task list.
Turkojan attempts to obtain access to the password cache stored on the local computer.
It installs hook procedures into a hook chain to watch the system for any keyboard and mouse messages.
The Trojan waits for the commands from the remote client. This allows the hacker to perform any of the following actions:
Manage the installation of the Trojan
Download and execute files
Deliver system and network information to the hacker
Perform annoying actions
Intercept confidential information by hooking any keystrokes
The manual removal of the trojan can be accomplished by deleting the infected file and removing the registry entry.
| 
