PiaoYes
(Backdoor.Win32.Delf.juw for Client)
(Backdoor.Win32.Delf.ga)
(Trojan.Win32.FakeGina.h for wing32.dll)

by ?

Written in Delphi, compressed with ASPack

Released in July 2003

Made in China

more versions


client1


client2


client2 





Client1.exe:
dropped servers:
c:\WINDOWS\notepad.jmp 
c:\WINDOWS\SYSTEM\Explorer.exe 
c:\WINDOWS\SYSTEM\internat.dic
 
size: 282.112 bytes 

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "internat" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "Explorer" 
HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)" 

registry added:
HKEY_CLASSES_ROOT\.dic 
HKEY_CLASSES_ROOT\.jmp 
HKEY_LOCAL_MACHINE\Software\piaoyes 




Client2.exe
dropped servers:
c:\WINDOWS\notepad.jmp 
c:\WINDOWS\SYSTEM\Explorer.exe 
c:\WINDOWS\SYSTEM\wing32.dll 
c:\WINDOWS\SYSTEM\internat.dic

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "internat" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "piaoyes" 
HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDLL" 

registry added:
HKEY_CLASSES_ROOT\.dic 
HKEY_CLASSES_ROOT\.jmp 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 
HKEY_LOCAL_MACHINE\Software\piaoyes 

files added:
c:\WINDOWS\SYSTEM\client.exe
MegaSecurity