Backdoor.Win32.VB.ade
(Backdoor.Win32.VB.ade)

by ?

Original Filename: CTFMON.EXE

Written in Visual Basic

more in this category


dropped / changed:
c:\WINDOWS\system32\dllcache\ctfmon.exe
old size: 13,312 bytes 
new size: 12,192 bytes 

port: 21678 TCP

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ctfmon"
data: C:\WINDOWS\system32\ctfmon.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B284D4BCEF} "StubPath"
data: C:\WINDOWS\system32\dllcache\ctfmon.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ctfmon"
data: C:\WINDOWS\system32\ctfmon.exe 


tested on Windows XP 
February 14, 2006

MegaSecurity