Trojan-Dropper.Win32.Small.cub analysis

Add date: 07/09/2008 Publishing date: 07/09/2008 Hits: 19

Total 2 pages, Current page:1, Jump to page:

Viral label:
Viral name: Trojan-Dropper.Win32.Small.cub
Viral type: Wooden horse class
Document MD5: 285B3DF663A4EA86349B0AB54B297A6F
Public scope: Completely public
Harm rank: 4
Document length: 1,227,891 bytes
Infection system: Windows98 above edition
Development kit: Easy language
Adds the shell type: Does not have

Viral description:
This virus belongs brushes the current capacity class wooden horse, after the viral movement, judgment current procedure filename and way whether is
%System32% \ XP-C300C3AC.EXE, if is not this way and the filename, will transfer the resources supervisor to open works as
Under first table of contents and folder of the same name; If the folder will not exist will spring is unable to find folder's wrong prompt, duplicate
System oneself to %System32% tables of contents, and grows the storehouse document which the virus configuration files as well as the easy language movement to need; Repairing
Changes the registry increase start item, causes the viral document to move along with the system initiation; The linked network visit assigns the stand, for is visited
Asked the website brushes the current capacity; After infecting the computer turning on migration floppy disk, the viral advancement traversal under the motion floppy disk root directory
The folder, grows oneself to move under the floppy disk root directory, changes the name for the folder name which examines, revises the original folder is
The nature is the hideaway, causes the user when other computer use migration floppy disk turns on its folder moves the virus, achieves the motion magnetism
Plate infection virus's goal; After the viral movement finished, deleted oneself.
¡¡¡¡Is brushed the website (http://hi.baidu.com/sile*****) approximately by each second 10 visit quantity speed refurbishing,
And a card's visit quantity reaches as high as above 500,000, has the quite serious influence to the network normal use.

Behavioral analysis:
Local behavior:
1st, after document movement, will release the following document:
¡¡¡¡¡¡¡¡%System32% \ com.run ¡¡¡¡¡¡¡¡266,240 bytes
¡¡¡¡¡¡¡¡%System32% \ dp1.fne ¡¡¡¡¡¡¡¡114,688 bytes
¡¡¡¡¡¡¡¡%System32% \ eAPI.fne ¡¡¡¡¡¡ 323,584 bytes
¡¡¡¡¡¡¡¡%System32% \ internet.fne ¡¡ 184,320 bytes
¡¡¡¡¡¡¡¡%System32% \ krnln.fnr ¡¡¡¡¡¡1,097,728 bytes
¡¡¡¡¡¡¡¡%System32% \ og.dll ¡¡¡¡¡¡¡¡¡¡692 bytes
¡¡¡¡¡¡¡¡%System32% \ og.edt ¡¡¡¡¡¡¡¡¡¡512 bytes
¡¡¡¡¡¡¡¡%System32% \ RegEx.fne ¡¡¡¡¡¡ 167,936 bytes
¡¡¡¡¡¡¡¡%System32% \ shell.fne ¡¡¡¡¡¡ 40,960 bytes
¡¡¡¡¡¡¡¡%System32% \ spec.fne ¡¡¡¡¡¡¡¡73,728 bytes
¡¡¡¡¡¡¡¡%System32% \ ul.dll ¡¡¡¡¡¡¡¡ 2404 bytes
¡¡¡¡¡¡¡¡%System32% \ XP-C300C3AC.EXE 1,227,891 bytes
2nd, additional registry:
¡¡¡¡¡¡¡¡
¡¡¡¡¡¡¡¡[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
¡¡¡¡¡¡¡¡\ Windows \ CurrentVersion \ Run]
¡¡¡¡¡¡¡¡Registration tabular value: “XP-C300C3AC”
¡¡¡¡¡¡¡¡Type: REG_SZ
¡¡¡¡¡¡¡¡Value: “C:\WINDOWS\system32\XP - C300C3AC.EXE”
¡¡¡¡¡¡¡¡Description: The start item, causes under the way document which assigns along with system's start to move.

Other pages: : 1 * 2 * Next>>

Prev:Everybody may kill the poisonous small move to throw off the big wooden horse

Next:The resistance kills the poisonous software

Comment:

Category: Home > the virus to be related