|
by KodaPT
Written in Visual Basic
Released in September 2001
|
|
Server:
dropped files:
c:\WINNT\.exe size: 131.072 bytes
c:\WINNT\Cache\.exe size: 131.072 bytes
c:\WINNT\system32\server.dll size: 167 bytes
c:\WINNT\system32\dllcache\regedit.exe size: 73.488 bytes
added to registry:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\server\Main "SelfPath"
data: C:\Program Files\DK\server.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)"
data: C:\WINNT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
old data: Explorer.exe
new data: Explorer.exe C:\WINNT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} "StubPath"
old data: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
new data: C:\WINNT\.exe
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders "Common Startup"
old data: %ALLUSERSPROFILE%\Start Menu\Programs\Startup
new data: C:\WINNT\Cache
changed:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Startup"
old data: C:\Documents and Settings\%user%\Start Menu\Programs\Startup
new data: C:\WINNT\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders "Startup"
old data: %USERPROFILE%\Start Menu\Programs\Startup
new data: C:\WINNT\Cache
tested on Windows XP
December 19, 2004
MegaSecurity