deskwizz

November 11, 2006 on 3:49 pm | In Malware analysis | 1 Comment

Originally posted Mar 27 2005, 09:09 PM

Received from my old friend $teve along with some other files:
jmsqvijilh.exe identified by KAV and TDS as infected by Trojan-Downloader.Win32.Small.aly

I decided to test what it gets at the moment since this changes frequently.

When run it contacted:
195.137.236.117 (deskwizz.com)
195.137.237.103
216.150.6.75 (adpowerzone.advertserve.com)

During these connections it downloaded and installed:
IEXPLOR.EXE
setup.ini

IEXPLOR.exe was flagged by TDS as Possible WebDownloader   File: iexplor.exe

setup.ini contains
MainWindowURL=http://ads.deskwizz.com/to.php?id=atix
BackupWindowURL1=http://www.aqwerlib.ruuu/
BackupWindowURL2=http://www.waa4rty.inf/
AfterInstall=http://media.deskwizz.com/gate.php?id=AtixAfterInstall

The short version of the Total Uninstall report:

  Filesystem
  ===============
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temp
      (+)(FILE) ~DF1052.tmp = 21:27 27-03-05 16384 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5
      (*)(FILE) index.dat
        21:14 27-03-05 8552448 bytes ==> 21:26 27-03-05 8552448 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0BR3MW91
      (+)(FILE) setupAtx[1].ini = 21:27 27-03-05 339 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\JJ9JRDSW
      (+)(FILE) IEXPLOR[1].EXE = 21:26 27-03-05 49152 bytes
    (FOLDER) C:\WINDOWS
      (+)(FILE) IEXPLOR.EXE = 21:26 27-03-05 49152 bytes
      (+)(FILE) setup.ini = 21:27 27-03-05 339 bytes

  Registry
  ===============
    (REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      (+)(REGISTRY VALUE) AtxBrw = ‘C:\WINDOWS\IEXPLOR.exe’
      (+)(REGISTRY VALUE) C:\WINDOWS\IEXPLOR.EXE = ‘C:\WINDOWS\IEXPLOR.EXE’

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Originally posted by mpfeif101
    at Apr 1 2005, 04:57 AM

    Thanks Pieter, excellent entry 🙂

    Comment by metallica — November 11, 2006 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^