by ?
Written in Delphi
dropped file:
c:\Documents and Settings\%user%i\Local Settings\Temp\Cute.exe size: 608.768 bytes
c:\WINDOWS\kernel32.exe size: 608.768 bytes
added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows"
data: C:\WINDOWS\kernel32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Windows"
data: C:\WINDOWS\kernel32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
data: C:\WINDOWS\kernel32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
data: explorer.exe C:\WINDOWS\kernel32.exe
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Outlook Express\5.0\Mail
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Outlook Express\5.0\News
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Outlook Express\5.0\Trident\Main
HKEY_CURRENT_USER\Identities\{D4086F36-0B1C-4F8B-883F-F6A433830ADF}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
HKEY_CLASSES_ROOT\.vx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\.
attempts to connect to an IRC server
tested on Windows XP
December 11, 2004
MegaSecurity