DarkSky (d) server
(Backdoor.Win32.DarkSky.d)

by Darksky

Written in Visual C++, compressed with UPX


Made in China

more versions 


Dropped files:
c:\WINDOWS\system32\KNREL32.exe     size: 41,472 bytes 
c:\WINDOWS\system32\notepade.exe    size: 41,472 bytes 
c:\WINDOWS\system32\SysArchive.exe  size: 41,472 bytes 

port: 5418, 5419 TCP

startup:
HKEY_CLASSES_ROOT\.txt\shell\open\command "(Default)"
data: C:\WINDOWS\System32\notepade.exe %1 

HKEY_CLASSES_ROOT\txtfile.txt\shell\open\command "(Default)"
data: C:\WINDOWS\System32\notepade.exe %1 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SysArchive"
data: SysArchive.exe 

HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)"
old data: "%1" %* 
new data: C:\WINDOWS\System32\KNREL32.exe "%1" %* 

HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
old data: "%1" %* 
new data: C:\WINDOWS\System32\KNREL32.exe "%1" %* 

HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)"
old data: %SystemRoot%\system32\NOTEPAD.EXE %1 
new data: C:\WINDOWS\System32\notepade.exe %1 


tested on Windows XP
January 10, 2005
MegaSecurity