by Superchachi
Written in Visual Basic, compressed with UPX
Backdoor.Win32.VB.vr:
dropped files:
c:\WINDOWS\EDKZCTOL1.exe Size: 190,464 bytes (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\EDKZCTOL1.exe Size: 190,464 bytes (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\explorer.dll Size: 88,576 bytes (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\iexplore.dll Size: 82,944 bytes (Trojan.Win32.Madtol.a)
C:\WINDOWS\Fonts\lsass.exe (Invisible)
deleted files:
c:\WINDOWS\system32\lsass.exe
c:\WINDOWS\system32\dllcache\lsass.exe
port: 30999 TCP
500 UDP
startup:
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
old data: "%1" %*
new data: c:\WINDOWS\Fonts\lsass.exe "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "EDKZCTOL1.exe"
data: C:\WINDOWS\System32\EDKZCTOL1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe /RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe
Used with Aphex RootKit
Tested on Windows XP
May 05, 2005
MegaSecurity