by ?
Written in Visual Basic, compressed with UPX
Backdoor.Win32.VB.xp: dropped files: c:\time.bat Size: 12 bytes c:\WINDOWS\esclave.vbs size: 48 bytes c:\WINDOWS\hosts size: 358 bytes c:\WINDOWS\msslave.exe size: 22,528 bytes c:\winnt\msslave.exe size: 22,528 bytes added to registry: HKEY_CLASSES_ROOT\helpfile\shell\open\command "(Default)" Old data: winhlp32.exe %1 New data: msslave.exe %1 HKEY_CLASSES_ROOT\htmlfile\shell\open\command "(Default)" Old data: "C:\Program Files\Internet Explorer\iexplore.exe" -nohome New data: msslave.exe -nohome HKEY_CLASSES_ROOT\RDP.File "FriendlyTypeName" Old data: @C:\WINDOWS\System32\mstsc.exe,-4004 New data: @msslave.exe, -4004 HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)" Old data: %SystemRoot%\system32\NOTEPAD.EXE %1 New data: msslave.exe %1 HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\minimize.Default "(Default)" Data: esclave.vbs HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" Data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" Data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" Data: 01, 00, 00, 00 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Mcafee" Data: sp3.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Service Pack 3" Data: msslave.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices- "norton auto-protect" Data: msslave.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update "(Default)" Data: msslave.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion "ProductId" Data: Agent Hacker-W32.Slave@mm performs a DOS on the following site: www.microsoft.com www.hotmail.com www.fbi.gov www.symantec.com tested on Windows XP February 07, 2005MegaSecurity