Backdoor.Win32.VB.vr
(Backdoor.Win32.VB.vr)

by Superchachi

Written in Visual Basic, compressed with UPX

more versions


Backdoor.Win32.VB.vr:
dropped files:
c:\WINDOWS\EDKZCTOL1.exe            Size: 190,464 bytes   (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\EDKZCTOL1.exe   Size: 190,464 bytes   (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\explorer.dll    Size: 88,576 bytes    (Trojan.Win32.Madtol.a)
c:\WINDOWS\system32\iexplore.dll    Size: 82,944 bytes    (Trojan.Win32.Madtol.a)
C:\WINDOWS\Fonts\lsass.exe          (Invisible)

deleted files:
c:\WINDOWS\system32\lsass.exe
c:\WINDOWS\system32\dllcache\lsass.exe

port: 30999 TCP
      500   UDP
	  
startup:
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
old data: "%1" %* 
new data: c:\WINDOWS\Fonts\lsass.exe "%1" %* 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "EDKZCTOL1.exe"
data: C:\WINDOWS\System32\EDKZCTOL1.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe /RunOnce 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx "Kobayashi"
data: c:\WINDOWS\Fonts\lsass.exe 
	
	
Used with Aphex RootKit
	

Tested on Windows XP
May 05, 2005

MegaSecurity