by huaxingin & tengzhenin
Written in Delphi
Released in December 2002
Made in China
Client:
size: 585.216 bytes
port: 2101, 2222 TCP
Servers:
c:\WINDOWS\SYSTEM\GIRL.EXE
C:\WINDOWS\TEMP\RunDll.exe
size: 247.296 bytes
port: 6711, 1133, 1183, 8311 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "(Default)"
HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)"
added to registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system "DisableRegistryTools"
added files:
c:\WINDOWS\SYSTEMdesktop.ini
c:\WINDOWS\SYSTEMfolder.htt
c:\WINDOWS\SYSTEM\GIRL.EXE
c:\WINDOWS\SYSTEM\WinPlayer.EXE
c:\WINDOWS\TEMP\desktop.ini
c:\WINDOWS\TEMP\folder.htt
C:\WINDOWS\TEMP\RunDll.exe
MegaSecurity