VBS Webdownloader
Released 21 years, 2 months ago. September 2003
Copyright © MegaSecurity
By ?
Informations
| Author | ? |
| Family | Downloader |
| Category | Webdownloader |
| Version | VBS Webdownloader |
| Released Date | Sep 2003, 21 years, 2 months ago. |
Additional Information
Infection:
By visiting a prepared webpage a HTA application is run on the client machine.
The Visual Basic script (TrojanDownloader.VBS.Iwill.b) embedded in the HTA application will download a file named "S.EXE".
S.EXE (size 1.199 bytes)(Not detected by AVP on september 18, 2003)
will download and execute following server:
c:\WINDOWS\TEMP\MSCONFIG.EXE (OptixLite 5.0 server aka Backdoor.Delf.em)
size: 44.033 bytes
port: 45454 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MSCONFIG"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "MSCONFIG"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74} "StubPath"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup"
Data: C:\WINDOWS\Temp
registry added:
HKEY_LOCAL_MACHINE\Software\EES
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings "EnableAutodial"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders "Common Startup"
Data: C:\WINDOWS\Temp
files added:
c:\WINDOWS\TEMP\MSCONFIG.EXE
c:\WINUPDATE.EXE
c:\WINDOWS\Temporary Internet Files\Content.IE5\41YBG9MZ\o[1].exe
all (Backdoor.Delf.em) and size: 44.033 bytesIf you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.