Description
| File Property |
Property Value |
| FileName |
windowsxp.exe |
| McAfee Detection |
Generic PWS.y |
| Length |
19613 bytes |
| CRC |
BADB4C88 |
| MD5 |
02a878f697b94b93060c574e967af6b |
|
|
Avert® Labs has observed the following system activities
| Activity |
Risk Level |
Enumerates running processes
|
Medium |
Uses shared memory of other processes
|
Low |
Writes executable in the windows folder
|
Low |
Performs a shell execute of downloaded or existing files
|
Informational |
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
The following files have been added to the system:
%WINDIR%\system32\micorsoft.dll (PWS-onlinegames.h)
%WINDIR%\system32\windowsxp.exe
C:\windowsxp.exe
C:\autorun.inf
The following registry elements have been created:
The windows firewall was disabled.
The windows Auto Update was turned off.
Hidden Filess under folder options was disabled.
The applications created the following network connection(s):
http
- hxxp://59.106.145.58/**********************
- Backdoor opened on port 1036 and 1043
Indication of Infection
Methods of Infection