Avert® Labs has observed the following system activities
|Enumerates running processes
|Uses shared memory of other processes
|Writes executable in the windows folder
|Performs a shell execute of downloaded or existing files
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
The following files have been added to the system:
The following registry elements have been created:
The windows firewall was disabled.
The windows Auto Update was turned off.
Hidden Filess under folder options was disabled.
The applications created the following network connection(s):
- Backdoor opened on port 1036 and 1043
Indication of Infection
Methods of Infection