by ?
Released in September 2003
Infection: By visiting a prepared webpage a HTA application is run on the client machine. The Visual Basic script (TrojanDownloader.VBS.Iwill.b) embedded in the HTA application will download a file named "S.EXE". S.EXE (size 1.199 bytes)(Not detected by AVP on september 18, 2003) will download and execute following server: c:\WINDOWS\TEMP\MSCONFIG.EXE (OptixLite 5.0 server aka Backdoor.Delf.em) size: 44.033 bytes port: 45454 TCP startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MSCONFIG" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "MSCONFIG" HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74} "StubPath" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup" Data: C:\WINDOWS\Temp registry added: HKEY_LOCAL_MACHINE\Software\EES HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings "EnableAutodial" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup" Data: C:\WINDOWS\Temp files added: c:\WINDOWS\TEMP\MSCONFIG.EXE c:\WINUPDATE.EXE c:\WINDOWS\Temporary Internet Files\Content.IE5\41YBG9MZ\o[1].exe all (Backdoor.Delf.em) and size: 44.033 bytesMegaSecurity