by Superchachi
Written in Visual Basic, compressed with UPX
Backdoor.Win32.VB.vr: dropped files: c:\WINDOWS\EDKZCTOL1.exe Size: 190,464 bytes (Trojan.Win32.Madtol.a) c:\WINDOWS\system32\EDKZCTOL1.exe Size: 190,464 bytes (Trojan.Win32.Madtol.a) c:\WINDOWS\system32\explorer.dll Size: 88,576 bytes (Trojan.Win32.Madtol.a) c:\WINDOWS\system32\iexplore.dll Size: 82,944 bytes (Trojan.Win32.Madtol.a) C:\WINDOWS\Fonts\lsass.exe (Invisible) deleted files: c:\WINDOWS\system32\lsass.exe c:\WINDOWS\system32\dllcache\lsass.exe port: 30999 TCP 500 UDP startup: HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" old data: "%1" %* new data: c:\WINDOWS\Fonts\lsass.exe "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "EDKZCTOL1.exe" data: C:\WINDOWS\System32\EDKZCTOL1.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Kobayashi" data: c:\WINDOWS\Fonts\lsass.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Kobayashi" data: c:\WINDOWS\Fonts\lsass.exe /RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx "Kobayashi" data: c:\WINDOWS\Fonts\lsass.exe Used with Aphex RootKit Tested on Windows XP May 05, 2005MegaSecurity