by Corpse
Written in MASM
Released in October 2004
Made in Russia
Server:
dropped files:
c:\WINDOWS\system32\klogini.dll size: 0 bytes
c:\WINDOWS\system32\p2.ini size: 320 bytes
c:\WINDOWS\system32\ps.a3d size: 95 bytes
C:\WINDOWS\system32\cm.dll size: 28960 bytes (Backdoor.Win32.Haxdoor.av)
C:\WINDOWS\system32\draw32.dll size: 28960 bytes (Backdoor.Win32.Haxdoor.av)
C:\WINDOWS\system32\hm.sys size: 15872 bytes (Backdoor.Win32.Haxdoor.gen)
C:\WINDOWS\system32\memlow.sys size: 4096 bytes (Backdoor.Win32.Haxdoor.ar)
C:\WINDOWS\system32\vdnt32.sys size: 15872 bytes (Backdoor.Win32.Haxdoor.gen)
C:\WINDOWS\system32\wd.sys size: 4096 bytes (Backdoor.Win32.Haxdoor.ar)
port: 16661 TCP
added to registry:
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Internet Account Manager
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEMLOW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDNT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdnt32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEMLOW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDNT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdnt32
tested on Windows XP
January 06, 2005
MegaSecurity