 |
 |
by ?
Written in Visual Basic
|
|
|
Backdoor.Win32.VB.xa: dropped files: c:\WINDOWS\00078dx Size: 50 bytes c:\WINDOWS\NEGunbot.exe Size: 52,224 bytes (Backdoor.Win32.Agent.ea) c:\WINDOWS\scvhost.exe Size: 495,685 bytes port: 30999 TCP added to registry: HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" old data: "%1" %* new data: c:\WINDOWS\scvhost.exe "%1" %* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Kobayashi" data: c:\WINDOWS\scvhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Kobayashi" data: c:\WINDOWS\scvhost.exe /RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx "Kobayashi" data: c:\WINDOWS\scvhost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" data: 01, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskmgr" data: 01, 00, 00, 00 tested on Windows XP July 30, 2005MegaSecurity