Eshragh PassSender 1.1

Eshragh PassSender 1.1
(Trojan-Spy.Win32.VB.akw )

by eShargh

Written in Visual Basic

Made in The Middle East


Server
Dropped File:
c:\WINDOWS\system32\system.exe
Size: 86,176 bytes 

Added to Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "disableregistrytools"
Data: 01, 00, 00, 00 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableTaskMgr"
Data: 01, 00, 00, 00 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System"
Data: system.exe 
	
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stud "ImagePath"
Data: %SystemRoot%\System32\oobe\setup\svchost.exe /service 
	
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\stud "ImagePath"
Data: %SystemRoot%\System32\oobe\setup\svchost.exe /service 
	
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stud "ImagePath"
Data: %SystemRoot%\System32\oobe\setup\svchost.exe /service 




Tested on Windows XP
September 06, 2008

MegaSecurity