Infects by downloading and executing trojan after visiting a prepared web page.

Written in Delphi, Source included

Released in June 2003

Made in Germany

Server: 
dropped file:
C:\WINDOWS\Firewall.exe 

size: 399.872 bytes

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Firewall" 


remark:
Used  method:
Microsoft Internet Explorer (unpatched) contains a vulnerability that can allow script code 
within an HTML document to run an embedded executable file. Since the file is an HTML file,
Internet Explorer will open and parse the file. When the script that points back 
to the embedded executable is parsed, the embedded executable will run on the client
system in the security context of Internet Explorer. 
(Securityfocus)