Backdoor.Win32.VB.xp
(Backdoor.Win32.VB.xp)

by ?

Written in Visual Basic, compressed with UPX

more in this category


System does reboot after clicking "ok"

Backdoor.Win32.VB.xp:
dropped files:
c:\time.bat    Size: 12 bytes 
c:\WINDOWS\esclave.vbs  size: 48 bytes 
c:\WINDOWS\hosts        size: 358 bytes 
c:\WINDOWS\msslave.exe  size: 22,528 bytes 
c:\winnt\msslave.exe    size: 22,528 bytes 
	

added to registry:
HKEY_CLASSES_ROOT\helpfile\shell\open\command "(Default)"
Old data: winhlp32.exe %1 
New data: msslave.exe %1 

HKEY_CLASSES_ROOT\htmlfile\shell\open\command "(Default)"
Old data: "C:\Program Files\Internet Explorer\iexplore.exe" -nohome 
New data: msslave.exe -nohome 

HKEY_CLASSES_ROOT\RDP.File "FriendlyTypeName"
Old data: @C:\WINDOWS\System32\mstsc.exe,-4004 
New data: @msslave.exe, -4004 

HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)"
Old data: %SystemRoot%\system32\NOTEPAD.EXE %1 
New data: msslave.exe %1  


HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\minimize.Default "(Default)"
Data: esclave.vbs 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun"
Data: 01, 00, 00, 00 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
Data: 01, 00, 00, 00 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
Data: 01, 00, 00, 00 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Mcafee"
Data: sp3.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Service Pack 3"
Data: msslave.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices- "norton auto-protect"
Data: msslave.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update "(Default)"
Data: msslave.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion "ProductId"
Data: Agent Hacker-W32.Slave@mm 

performs a DOS on the following site:
www.microsoft.com 
www.hotmail.com 
www.fbi.gov 
www.symantec.com 



tested on Windows XP
February 07, 2005

MegaSecurity