Marmoolak 1.172

Marmoolak 1.172
(HackTool.Win32.VB.er for SETUP.EXE)
(Not detected by KAV on September 25, 2006)

by Red Move

Written in Visual Basic

Released in September 2006

Made in Iran


Server:
dropped file:
c:\WINDOWS\system32\Mcsng.exe
size: 17,732 bytes 

startup:
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
old data: "%1" %* 
new data: Mcsng.exe opext "%1" %* 



tested on Windows XP
September 25, 2006

MegaSecurity