Trojan.Downloader.Stration.F Email-Worm.Win32.Warezov, Trojan-Downloader:W32/Warezov, W32.Stration Skype Worm
Size: 11 kbytes (packed)Discovered: 2007 Feb 14
SYMPTOMS:
- The presence of the following file: %WINDIR%\sqhos32.wmf
- The presence of the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
- A process named 'module.exe' running
TECHNICAL DESCRIPTION:
The trojan creates a file named sqhos32.wmf in %WINDIR% folder, file that contains some data the trojan uses. Then, it will create the following registry key in order to execute itself at each system startup:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
The trojan tries to download a file named 'module.exe' from http://eased{...}.com/et.exe.
When the link becomes available, it will execute the downloaded file, delete the startup registry key and mark itself for deletion at the next system startup.
ANALYZED BY:
Marius Botis, virus researcher
<< Home