by ?
Written in Visual C++
Released in September 2004
dropped file: c:\WINDOWS\system32\w32.exe size: 39.936 bytes port: 9687, %random_port% TCP added to registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "w32" data: w32.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "w32" data: w32.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "w32" data: w32.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\w32 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\w32 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\w32\Security HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\w32 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\w32 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32\Security Every 20 minutes a notification request is sent via HTTP to www.earthlabs.biz tested on Windows XPMegaSecurity