Trojan zakażając system tworzy następujące pliki w systemie
Kod: Zaznacz cały
%AllUsersProfile%\Msn\Msn2\aatd.bat
%AllUsersProfile%\Msn\Msn2\bms.klm
%AllUsersProfile%\Msn\Msn2\cond.reg
%AllUsersProfile%\Msn\Msn2\dd.vbs
%AllUsersProfile%\Msn\Msn2\icd.bat
%AllUsersProfile%\Msn\Msn2\ictd.bat
%AllUsersProfile%\Msn\Msn2\ied.bat
%AllUsersProfile%\Msn\Msn2\iewed.bat
%AllUsersProfile%\Msn\Msn2\image.exe
%AllUsersProfile%\Msn\Msn2\keeprun.ini
%AllUsersProfile%\Msn\Msn2\msnd.exe
%AllUsersProfile%\Msn\Msn2\picture viewer.exe
%AllUsersProfile%\Msn\Msn2\pid.PDF
%AllUsersProfile%\Msn\Msn2\sad.vbs
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\aatd.bat
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\bms.klm
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\cond.reg
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\dd.vbs
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\icd.bat
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\ictd.bat
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\ied.bat
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\iewed.bat
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\image.exe
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\keeprun.ini
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\msnd.exe
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\picture viewer.exe
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\pid.PDF
%SystemDrive%\Documents and Settings\All Users\Msn\Msn2\sad.vbs
%SystemDrive%\users\public\Public Document\aatd.bat
%SystemDrive%\users\public\Public Document\bms.klm
%SystemDrive%\users\public\Public Document\cond.reg
%SystemDrive%\users\public\Public Document\dd.vbs
%SystemDrive%\users\public\Public Document\icd.bat
%SystemDrive%\users\public\Public Document\ictd.bat
%SystemDrive%\users\public\Public Document\ied.bat
%SystemDrive%\users\public\Public Document\iewed.bat
%SystemDrive%\users\public\Public Document\image.exe
%SystemDrive%\users\public\Public Document\keeprun.ini
%SystemDrive%\users\public\Public Document\msn.klm
%SystemDrive%\users\public\Public Document\msnd.exe
%SystemDrive%\users\public\Public Document\PIC_[RANDOM CHARACTERS].[RANDOM CHARACTERS]
%SystemDrive%\users\public\Public Document\picture viewer.exe
%SystemDrive%\users\public\Public Document\pid.PDF
%SystemDrive%\users\public\Public Document\sad.vbs
%SystemDrive%\users\public\Public Document\wmsn.klm
Następnie dodaje się do autostartu systemu poprzez modyfikację rejestru:
Kod: Zaznacz cały
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"stat2" = "%SystemDrive%\Docume~1\AllUse~1\Msn\Msn2\aatd.bat"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"stat" = "%SystemDrive%\Docume~1\AllUse~1\Msn\Msn2\aatd.bat"
W rejestrze tworzy też wpis
Kod: Zaznacz cały
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions = 0"
Rozpoznawany jako Hacktool oraz Trojan Horse, szkodnik wysyła wykradzione informacje na zdalny serwer FTP.