by Ali Moazemi
Released in June 2008
Made in Iran
Server Dropped Files: c:\WINDOWS\winlogon.exe Size: 110,592 bytes c:\WINDOWS\PCHealth\UploadLB\Config\csrss.exe Size: 71,881 bytes c:\WINDOWS\system\sys.exe Size: 32,768 bytes c:\WINDOWS\system\trdy.txt Size: 4 bytes c:\WINDOWS\system32\svchot.exe Size: 71,881 bytes c:\WINDOWS\system32\config\svchost.exe Size: 32,768 bytes c:\WINDOWS\system32\drivers\etc\rundll32.exe Size: 110,592 bytes c:\WINDOWS\system32\drivers\etc\setup.txt Size: 159 bytes c:\WINDOWS\system32\Restore\up.exe Size: 71,881 bytes Added to Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemFile" Data: winlogon.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stud "ImagePath" Data: %SystemRoot%\System32\config\svchost.exe /service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stud "ImagePath" Data: %SystemRoot%\System32\config\svchost.exe /service Tested on Windows XP August 04, 2008MegaSecurity