Funny Administrative Spy
(Backdoor.Win32.DarkMoon.r)

by Shukisnike

Written in Visual Basic

Released in January 2004

more versions




Server:
dropped files:
c:\WINDOWS\system32\SP00LSV.EXE     size: 41,160 bytes 
c:\WINDOWS\system32\WINL0G0N.EXE    size: 41,160 bytes 

port: 2300, 4300, 4500, 6000 TCP

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Microsoft Windows"
data: C:\WINDOWS\System32\WINL0G0N.EX 



tested on Windows XP
March 09, 2005

MegaSecurity