Shadow - Malware Gallery

Informations

From	China
Author	?
Family	Shadow
Category	Remote Access
Version	Shadow
Released Date	Feb 2003, 21 years, 9 months ago.
Language	Delphi, compressed with ASPack

Additional Information

Server:
dropped file:
C:\WINNT\System32\shadow32.exe 

size: 46.592 bytes

port: 1119 TCP

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Shadow32" 

added registry keys:
HKEY_USERS\.DEFAULT\Console\C:_WINNT_system32_tlntsess.exe 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TLNTSVR 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TLNTSVR\0000 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TLNTSVR\0000\Control 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TlntSvr\Enum 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TLNTSVR 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TLNTSVR\0000 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TLNTSVR\0000\Control 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum 

remark:
tested on win2000