by ?
Released in September 2003
Infection:
By visiting a prepared webpage a HTA application is run on the client machine.
The Visual Basic script (TrojanDownloader.VBS.Iwill.b) embedded in the HTA application will download a file named "S.EXE".
S.EXE (size 1.199 bytes)(Not detected by AVP on september 18, 2003)
will download and execute following server:
c:\WINDOWS\TEMP\MSCONFIG.EXE (OptixLite 5.0 server aka Backdoor.Delf.em)
size: 44.033 bytes
port: 45454 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MSCONFIG"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "MSCONFIG"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74} "StubPath"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup"
Data: C:\WINDOWS\Temp
registry added:
HKEY_LOCAL_MACHINE\Software\EES
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings "EnableAutodial"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup"
Data: C:\WINDOWS\Temp
files added:
c:\WINDOWS\TEMP\MSCONFIG.EXE
c:\WINUPDATE.EXE
c:\WINDOWS\Temporary Internet Files\Content.IE5\41YBG9MZ\o[1].exe
all (Backdoor.Delf.em) and size: 44.033 bytes
MegaSecurity