VBS Webdownloader (b)
(TrojanDownloader.VBS.Iwill.b)

by ?

Released in September 2003

more versions


Infection:
By visiting a prepared webpage a HTA application is run on the client machine.
The Visual Basic script  (TrojanDownloader.VBS.Iwill.b) embedded in the HTA application will download a file named "S.EXE".

S.EXE (size 1.199 bytes)(Not detected by AVP on september 18, 2003)
will download and execute following server:
c:\WINDOWS\TEMP\MSCONFIG.EXE (OptixLite 5.0 server aka Backdoor.Delf.em)

size: 44.033 bytes 

port: 45454 TCP

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MSCONFIG" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "MSCONFIG" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74} "StubPath" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup" 
Data: C:\WINDOWS\Temp 

registry added:
HKEY_LOCAL_MACHINE\Software\EES 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings "EnableAutodial" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup" 
Data: C:\WINDOWS\Temp 


files added:
c:\WINDOWS\TEMP\MSCONFIG.EXE
c:\WINUPDATE.EXE 
c:\WINDOWS\Temporary Internet Files\Content.IE5\41YBG9MZ\o[1].exe 

all (Backdoor.Delf.em) and size: 44.033 bytes 

MegaSecurity