TrojanProxy.Win32.Mitglieder.a
Description TrojanProxy.Win32.Mitglieder.a
This Trojan program enables the attacker to use the infected computer as a mail proxy-server. It runs under Windows, and is approximately 9KB, compressed using UPX. The decompressed file is approximately 35KB.
Installation
When launched, the Trojan copies itself to the Windows system directory under the name 'system.exe'
To enable autorun, the Trojan creates the following key in the system registry
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
ssgrate.exe = %system%system.exe
The Trojan then attempts to connect to several remote servers to transmit information about the infected computer (IP address etc) to the author of the worm.
The programs opens port 39999 on the infected machine and installs itself as a proxy server. Once this has been done, the infected machine can be used in spamming.
Other
The Trojan searches for the following processes in memory and attempts to stop them from working.
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
Check other viruses! Be aware! Use Antiviral Software
RP.b
Description RP.b
This is the memory resident boot virus. It hooks INT 12h, 13h and write itselfe to the MBR of the hard drive and the boot sector of the floppy disks. This virus decrypts and displays the following message in May:
Only bugs exist! RP 1995 Bucharest
RP.Lazar.a
Description RP.Lazar.a
This is the memory resident boot virus. It hooks INT 12h, 13h and write itselfe to the MBR of the hard drive and the boot sector of the floppy disks. This virus decrypts and displays the following message in May:
REMEMBER PROMOTION 95 (GH. LAZÅR)! RP
|