by ?
Packed with Themida 1.0.0.5
Released in May 2006
Pretends to be a Chess Program, but installs a Backdoor.
Server:
dropped files:
c:\WINDOWS\svcr.exe Size: 1,211,906 bytes
c:\WINDOWS\system32\drivers\oreans32.sys Size: 33,952 bytes
added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system"
data: C:\WINDOWS\svcr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} "StubPath"
data: C:\windows\svcr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "system"
data: C:\WINDOWS\svcr.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32 "ImagePath"
data: \??\C:\WINDOWS\system32\drivers\oreans32.sys
attempts to connect to an IRC Server
tested on Windows XP
July 31, 2006
MegaSecurity