Outbreak 0.2.3 (backdoored)

Outbreak 0.2.3 (backdoored)
(Backdoor.Win32.Outbreak.023)
(Backdoor.Win32.Rbot.ea)
(TrojanDropper.Win32.FC.g for client)

by satan_addict

Released in December 2004

more versions


Client:
dropped files:
c:\WINDOWS\JNR#01.EXE            size: 1.456.128 bytes  (Backdoor.Win32.Outbreak.023)
c:\WINDOWS\JNR$01.EXE            size: 89.600 bytes     (Backdoor.Win32.Rbot.ea)
c:\WINDOWS\system32\win32api.exe size: 89.600 bytes     (Backdoor.Win32.Rbot.ea)

port: 1033 TCP

added to registry:
HKEY_CURRENT_USER\Software\Microsoft\OLE "Win32 API Start"
data: win32api.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "c:\windows\JNR#01.EXE"
data: JNR#01 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Win32 API Start"
data: win32api.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Win32 API Start"
data: win32api.exe 






Server:
dropped file:
c:\WINDOWS\Server.exe  size: 94.210 bytes 

added to registry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Server\Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\l

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Server\Security

tested on Windows XP
December 03, 2004

MegaSecurity