by Khaled
Written in Visual Basic
Released in February 2006
Backdoor/Worm coded by Khaled functions: this trojan spreads via irc,network and outlook Server: dropped files: c:\Security.vbs Size: 741 bytes c:\dlls\ArabicStrip.wma.exe Size: 49,152 bytes c:\dlls\FuckFuckFuck.mpg.exe Size: 49,152 bytes c:\dlls\FuckMovie.wma.exe Size: 49,152 bytes c:\dlls\HotMovie.wma.exe Size: 49,152 bytes c:\dlls\mailit.vbs Size: 895 bytes c:\dlls\MissLebanon.jpg.exe Size: 49,152 bytes c:\dlls\MyFirstSex.wma.exe Size: 49,152 bytes c:\dlls\SexCaptured.jpg.exe Size: 49,152 bytes c:\dlls\SexMovie.mpg.exe Size: 49,152 bytes c:\dlls\SexyArabicGirl.jpg.exe Size: 49,152 bytes c:\dlls\SexyHaifa.jpg.exe Size: 49,152 bytes c:\dlls\SexyLebaneseGirl.jpg.exe Size: 49,152 bytes c:\dlls\SexyNancy.jpg.exe Size: 49,152 bytes c:\dlls\StolenSexVideo.wma.exe Size: 49,152 bytes c:\dlls\WindowsScreen.vbs Size: 407 bytes c:\WINDOWS\[email protected] Size: 93 bytes c:\WINDOWS\system32\NancyAjram.exe Size: 49,152 bytes added to registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" data: FF, FF, FF, 03 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoAdminPage" data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp "Disabled" data: 01, 00, 00, 00 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Ya Salam" data: C:\WINDOWS\System32\NancyAjram.exe tested on Windows XP June 14, 2006MegaSecurity