I Feel Lucky I Feel Very Lucky

Memory manager

Copyright © MegaSecurity

By ?

Informations
Author ?
Family Memory manager
Category TrojanDropper
Version Memory manager
Additional Information 
dropped files:
c:\win.dos    Size: 0 bytes 
c:\Memory manger2\data.dll        size: 188.928 bytes 
c:\Memory manger2\data.z          size: 17.408 bytes    (Backdoor.VB.an)
c:\Memory manger2\mem.dll         size: 24.064 bytes    (Backdoor.Tesk)
c:\Memory manger2\Memmanage.exe   size: 17.408 bytes    (Backdoor.Doly.16)
c:\Memory manger2\Mmgi.soc        size: 138.752 bytes 
c:\Memory manger2\Msys.z          size: 8.704 bytes     (Backdoor.Tesk)
c:\Memory manger2\Data\Jdata.reg  size: 1.238,116 bytes (TrojanDropper.Win32.BigJack.b)
c:\Memory manger2\Data\mem.z      size: 607.744 bytes   (Backdoor.ServU-based)
c:\Memory manger2\Data\su.z       size: 1.417 bytes 
c:\WINDOWS\Wings32.reg            size: 188.928 bytes 
c:\WINDOWS\winstart.bat           size: 102 bytes 
data:
@echo off copy C:\WINDOWS\Wings32.reg  C:\WINDOWS\Start Menu\Programs\StartUp\Mirabilis ICQ.exe
cls


c:\WINDOWS\system\serv-u.ini      size: 1.417 bytes 
c:\WINDOWS\system\windll16.sys    size: 60.7,744 bytes   (Backdoor.ServU-based)
c:\WINDOWS\system32\FS.ocx        size: 62.976 bytes 

added to registry:
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Control
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Version
HKEY_CLASSES_ROOT\CLSID\{EFFEFC86-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC86-4447-11D2-A504-50846BC10000}\InprocServer32
HKEY_CLASSES_ROOT\FSUtils.FS
HKEY_CLASSES_ROOT\FSUtils.FS\Clsid
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\MSWinsock.Winsock
HKEY_CLASSES_ROOT\MSWinsock.Winsock\CLSID
HKEY_CLASSES_ROOT\MSWinsock.Winsock\CurVer
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1\CLSID
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\HELPDIR

data.dll does connect to an IRC server

tested on Windows XP
December 22, 2004

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.