This backdoor hacking tool has many versions and some may do the following.
It drops the file WINSERV.EXE in the system directory of Windows System Folder. Then it modifies the registry by creating a new entry
NetApp = “C:\Windows\System\Winserv.exe”
Because of this, SHADOWTHIEF runs each time Windows is rebooted.
Then the backdoor program opens the port number “1207.” There are other variants that may open other port numbers open. These port numbers may be used by any other client to enter the server side of the infected computer.
To manually remove this backdoor program, the system should be disconnected from the network or the Internet before the files are deleted. To delete this backdoor program, the entry in the registry has to be removed. This is done by executing the REGEDIT.EXE file and going to the path HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Run.
The entry is named NetApp. The WINAPP.EXE file needs to be rename to WINAPP.VXE as well.