Metallica's blog

Received from my old friend $teve along with some other files:
jmsqvijilh.exe identified by KAV and TDS as infected by Trojan-Downloader.Win32.Small.aly

I decided to test what it gets at the moment since this changes frequently.

When run it contacted:
195.137.236.117 (deskwizz.com)
195.137.237.103
216.150.6.75 (adpowerzone.advertserve.com)

During these connections it downloaded and installed:
IEXPLOR.EXE
setup.ini

IEXPLOR.exe was flagged by TDS as Possible WebDownloader   File: iexplor.exe

setup.ini contains
MainWindowURL=http://ads.deskwizz.com/to.php?id=atix
BackupWindowURL1=http://www.aqwerlib.ruuu/
BackupWindowURL2=http://www.waa4rty.inf/
AfterInstall=http://media.deskwizz.com/gate.php?id=AtixAfterInstall
The short version of the Total Uninstall report:

  Filesystem
  ===============
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temp
      (+)(FILE) ~DF1052.tmp = 21:27 27-03-05 16384 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5
      (*)(FILE) index.dat
        21:14 27-03-05 8552448 bytes ==> 21:26 27-03-05 8552448 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0BR3MW91
      (+)(FILE) setupAtx[1].ini = 21:27 27-03-05 339 bytes
    (FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\JJ9JRDSW
      (+)(FILE) IEXPLOR[1].EXE = 21:26 27-03-05 49152 bytes
    (FOLDER) C:\WINDOWS
      (+)(FILE) IEXPLOR.EXE = 21:26 27-03-05 49152 bytes
      (+)(FILE) setup.ini = 21:27 27-03-05 339 bytes

  Registry
  ===============
    (REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      (+)(REGISTRY VALUE) AtxBrw = ‘C:\WINDOWS\IEXPLOR.exe’
      (+)(REGISTRY VALUE) C:\WINDOWS\IEXPLOR.EXE = ‘C:\WINDOWS\IEXPLOR.EXE’