Typ: Trojan
Źródło: sophos
System: Windows
Działanie:
Kopiuje siebie do:
c:\Documents and Settings\test user\Application Data\Newatl\winpack.exe
Znaleziony w:
c:\Documents and Settings\test user\Local Settings\Temp\7dc1_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\7de1_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\97a3_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\7e18_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\9b74_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\870d_appcompat.txt
c:\Documents and Settings\test user\Local Settings\Temp\8938_appcompat.txt
Dodaje do rejestru:
Kod: Zaznacz cały
* HKCU\Software\Faxlink
64289043340=
50 11 b9 65 cb 18 fe 1f d2 8f 12 c7 73 0a 20 75
* HKCU\Software\Microsoft\Internet Explorer\Main
XMLHTTP=
0x00000001
* HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Crtlink=
c:\Documents and Settings\test user\Application Data\Newatl\winpack.exe
Utworzył proces:
c:\windows\explorer.exe
Może utworzyć procesy:
* c:\truecrypt\truecrypt.exe
* c:\windows\system32\cmd.exe
* c:\windows\system32\ctfmon.exe
* c:\windows\system32\sc.exe
* c:\windows\system32\shutdown.exe