Written in VBSscript, compressed with UPX

Released in January 2004

Made in ?

Server:
dropped file:
c:\%WinDir%\svchost.exe 

size: 13.824 bytes 

port: 10002, 1154 TCP

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Online Service" 

registry added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Mserv "IDwin" 

dropped files:
c:\WINDOWS\mserv.exe           (Trojan.Win32.Killav.br)
c:\WINDOWS\msto32.dll          (Backdoor.Tonerok)
c:\WINDOWS\sysini.ini          (contents: "***Computer was successfully infected***")
c:\WINDOWS\SYSTEM\wingua.exe   (Trojan.Win32.Killav.br)
c:\WINDOWS\svchost.exe         (Backdoor.Tonerok)
 
Backdoor.Tonerok tries to download and execute several files (1.exe, 2.exe and 3.exe) from "http://trojanerdok.narod.ru" (Russia).
It is capable of disabling some anti-virus programs.
The content of the folders "c:\WINDOWS\Cookies\" and "c:\WINDOWS\Temporary Internet Files\" is deleted.