Backdoor.Win32.VB.xa
(Backdoor.Win32.VB.xa)

by ?

Written in Visual Basic

more in this category




Backdoor.Win32.VB.xa:
dropped files:
c:\WINDOWS\00078dx        Size: 50 bytes 
c:\WINDOWS\NEGunbot.exe   Size: 52,224 bytes    (Backdoor.Win32.Agent.ea)
c:\WINDOWS\scvhost.exe    Size: 495,685 bytes 

port: 30999 TCP

added to registry:
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
old data: "%1" %* 
new data: c:\WINDOWS\scvhost.exe "%1" %* 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Kobayashi"
data: c:\WINDOWS\scvhost.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Kobayashi"
data: c:\WINDOWS\scvhost.exe /RunOnce 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx "Kobayashi"
data: c:\WINDOWS\scvhost.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
data: 01, 00, 00, 00 
		
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskmgr"
data: 01, 00, 00, 00 
			
tested on Windows XP
July 30, 2005

MegaSecurity