hamTaRo THE Trojan 1.3

hamTaRo THE Trojan 1.3
(Backdoor.Win32.RMFdoor.b for Client)
(Not detected by KAV on February 26, 2008 for Server)

by MaLy

Written in Delphi

Released in August 2005

Made in Poland


Server:
dropped file:
c:\WINDOWS\svchost.exe
size: 454,144 bytes 

port: 14920 TCP

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
data: 01, 00, 00, 00 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "svchost"
data: C:\Windows\svchost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "svchost"
data: C:\Windows\svchost.exe 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Windows\svchost.exe"
data: C:\Windows\svchost.exe:*:Enabled:svchost 



tested on Windows XP
September 04, 2005

MegaSecurity