Trojan/Backdoor - Phase Zero Detection

High Nessus Network Monitor Plugin ID 1916


The remote host has a backdoor installed.


Phase Zero is installed. This backdoor allows anyone to partially take the control of the remote system. An attacker may use it to steal your password or prevent your system from working properly.


Look for the registry key MsgServ in HKLM\Software\Microsoft\Windows\CurrentVersion\Run with value msgsvr32.exe. Search for any suspicious files in the run key, and if found locate the file, open it and search for the text string "phAse Zero". If found, then delete that file and delete the registry value from the registry. Manually inspect and repair this system

Plugin Details

Severity: High

ID: 1916

File Name: 1916.prm

Family: Backdoors

Published: 2004/08/20

Modified: 2016/01/15

Risk Information

Risk Factor: High