by Neo and KB
Written in Visual Basic
Server: dropped files: c:\autoexec.exe Size: 200,704 bytes c:\io.dll Size: 81 bytes c:\WINDOWS\mss01.exe Size: 200,704 bytes c:\WINDOWS\sprocks.bmp Size: 81 bytes c:\WINDOWS\wrgf.exe Size: 200,704 bytes c:\WINDOWS\system32\diskf.dll Size: 81 bytes c:\WINDOWS\system32\log boot.exe Size: 200,704 bytes c:\WINDOWS\system32\msgr.exe Size: 200,704 bytes c:\WINDOWS\system32\reginf.ret Size: 81 bytes startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "bootlogfile" data: C:\WINDOWS\System32\log boot.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "msmsg" data: C:\WINDOWS\wrgf.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "msmsgr" data: C:\Documents and Settings\%user%\Desktop\Backdoor.Win32.Retribution.27.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton antivirus scan" data: C:\WINDOWS\mss01.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "office decryptfiles" data: C:\WINDOWS\System32\msgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "start bat file" data: c:\autoexec.exe tested on Windows XP November 26, 2005