by heroin
Released in August 2004
heroin dropped file: c:\WINDOWS\system32\svchost.exe size: 67.584 bytes port: 1023 TCP added to registry: HKEY_CLASSES_ROOT\.exe HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI-CLIENT\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\svchost HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMI-Client\Enum HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMI-Client\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMI-CLIENT\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\svchost HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI-Client\Enum HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI-Client\Security tested on Windows XPMegaSecurity