File name:\
File size: 26014 byte
AV name: (Rising) Backdoor.
How to add shell: unknown
Writing Language: VC
File MD5: 66951f5a5c5211d60b811c018a849f96
Virus type: IRCBot
Behavioral Analysis:
1. Release the virus copy:
C:\WINDOWS\ 26148 bytes (virus compression package)
C:\WINDOWS\ 26014 Bytes
2. Add the registry and start the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(registry value) Windows svchost = ""
3. Connect to the IRC server (randomly named ID connection):
***.com
***.eu
iD@uNkn***.eu
Join the following channels:
#happy2008
#
#
4. Find a process containing the "msnmsgr" string, which may be used to determine whether the MSN is in the running state.
If you find that the MSN exists, execute the Message + Zip sent command.
"Message" may be the following:
Check theese out, Christmas + New year!
Hey, have u seen these Christmas images?
you gotta see this, me in my noughty santa suit!! :P
New year + Christmas pictures! :D
Happy new year xD! :D see
Heeey :) <3 Check out theese New year photos!
"Zip sent" is undoubtedly
Solution:
1. Disconnect the network and close unwanted processes.
2. Open the registry (Start - Run - Regedit), expand to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the "Windows svchost " key value.
(You can also use SREng to delete (can be downloaded in down.))
3. Restart the computer and delete the hard disk file after restarting (if the file cannot be deleted when prompted, go to down. Download the Feltuar Horse Forced Delete Tool for Forced Delete):
C:\WINDOWS\ 26148 bytes (virus compression package)
C:\WINDOWS\ 26014 Bytes
File size: 26014 byte
AV name: (Rising) Backdoor.
How to add shell: unknown
Writing Language: VC
File MD5: 66951f5a5c5211d60b811c018a849f96
Virus type: IRCBot
Behavioral Analysis:
1. Release the virus copy:
C:\WINDOWS\ 26148 bytes (virus compression package)
C:\WINDOWS\ 26014 Bytes
2. Add the registry and start the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(registry value) Windows svchost = ""
3. Connect to the IRC server (randomly named ID connection):
***.com
***.eu
iD@uNkn***.eu
Join the following channels:
#happy2008
#
#
4. Find a process containing the "msnmsgr" string, which may be used to determine whether the MSN is in the running state.
If you find that the MSN exists, execute the Message + Zip sent command.
"Message" may be the following:
Check theese out, Christmas + New year!
Hey, have u seen these Christmas images?
you gotta see this, me in my noughty santa suit!! :P
New year + Christmas pictures! :D
Happy new year xD! :D see
Heeey :) <3 Check out theese New year photos!
"Zip sent" is undoubtedly
Solution:
1. Disconnect the network and close unwanted processes.
2. Open the registry (Start - Run - Regedit), expand to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the "Windows svchost " key value.
(You can also use SREng to delete (can be downloaded in down.))
3. Restart the computer and delete the hard disk file after restarting (if the file cannot be deleted when prompted, go to down. Download the Feltuar Horse Forced Delete Tool for Forced Delete):
C:\WINDOWS\ 26148 bytes (virus compression package)
C:\WINDOWS\ 26014 Bytes