Glacier 2.2 Darksun - Malware Gallery

Informations

From	China
Author	Y2KZERO
Family	Glacier
Category	Remote Access
Version	Glacier 2.2 Darksun
Language	Delphi, compressed with UPX

Additional Information

Server:
dropped files:
c:\WINNT\system32\Exp1orer.EXE    size: 338.068 bytes 
c:\WINNT\system32\EXPL0RER.EXE    size: 338.068 bytes 
	
port: 7636, 7718 TCP

added to registry:
HKEY_CLASSES_ROOT\txtfile\shell\open\command "(Default)"
old data: %SystemRoot%\system32\NOTEPAD.EXE %1 
new data: C:\WINNT\system32\Exp1orer.EXE %1 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)"
data: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "EXPL0RER"
data: C:\WINNT\system32\EXPL0RER.EXE 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "(Default)"
data: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "EXPL0RER"
data: C:\WINNT\system32\EXPL0RER.EXE 

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodial"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodisconnect" 

tested on Windows XP
November 24, 2004