by ?
Written in Microsoft Visual C++, compressed with UPX
Origin: China
dropped files: c:\WINDOWS\dodrrr.exe Size: 1,024 bytes c:\WINDOWS\msbpx32.dll Size: 135,168 bytes c:\WINDOWS\mscobpxl.dat Size: 155,648 bytes c:\WINDOWS\mwfirebpx.exe Size: 155,648 bytes c:\WINDOWS\winl0gon.exe Size: 155,648 bytes c:\WINDOWS\system32\trash2E181 Size: 133,120 bytes c:\WINDOWS\system32\drivers\etc\hosts port: 50686, 50689, 14200 TCP added to registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies "DisableRegistryTools" data: 00, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ms_anti_spywarebxp" data: C:\WINDOWS\mwfirebpx.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "ms_anti_spywarebxp" data: C:\WINDOWS\mwfirebpx.exe HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa "WINRUN" data: winl0gon.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "WINRUN" data: winl0gon.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies "DisableRegistryTools" data: 00, 00, 00, 00 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ms_anti_spywarebxp" data: C:\WINDOWS\mwfirebpx.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "ms_anti_spywarebxp" data: C:\WINDOWS\mwfirebpx.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SFCScan" data: 00, 00, 00, 00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa "WINRUN" data: winl0gon.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "WINRUN" data: winl0gon.exe tested on Windows XP March 17, 2006MegaSecurity