Memory manager 2.0

Memory manager 2.0
(Backdoor.VB.an)
(Backdoor.ServU-based)
(Backdoor.Doly.16)
(Backdoor.Tesk)
(TrojanDropper.Win32.BigJack.b)
by ?
TrojanDropper Constructed with "Setup Factory Setup Launcher
Released in 1999

dropped files:
c:\win.dos    Size: 0 bytes 
c:\Memory manger2\data.dll        size: 188.928 bytes 
c:\Memory manger2\data.z          size: 17.408 bytes    (Backdoor.VB.an)
c:\Memory manger2\mem.dll         size: 24.064 bytes    (Backdoor.Tesk)
c:\Memory manger2\Memmanage.exe   size: 17.408 bytes    (Backdoor.Doly.16)
c:\Memory manger2\Mmgi.soc        size: 138.752 bytes 
c:\Memory manger2\Msys.z          size: 8.704 bytes     (Backdoor.Tesk)
c:\Memory manger2\Data\Jdata.reg  size: 1.238,116 bytes (TrojanDropper.Win32.BigJack.b)
c:\Memory manger2\Data\mem.z      size: 607.744 bytes   (Backdoor.ServU-based)
c:\Memory manger2\Data\su.z       size: 1.417 bytes 
c:\WINDOWS\Wings32.reg            size: 188.928 bytes 
c:\WINDOWS\winstart.bat           size: 102 bytes 
data:
@echo off copy C:\WINDOWS\Wings32.reg  C:\WINDOWS\Start Menu\Programs\StartUp\Mirabilis ICQ.exe
cls


c:\WINDOWS\system\serv-u.ini      size: 1.417 bytes 
c:\WINDOWS\system\windll16.sys    size: 60.7,744 bytes   (Backdoor.ServU-based)
c:\WINDOWS\system32\FS.ocx        size: 62.976 bytes 

added to registry:
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Control
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{EFFEFC83-4447-11D2-A504-50846BC10000}\Version
HKEY_CLASSES_ROOT\CLSID\{EFFEFC86-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\CLSID\{EFFEFC86-4447-11D2-A504-50846BC10000}\InprocServer32
HKEY_CLASSES_ROOT\FSUtils.FS
HKEY_CLASSES_ROOT\FSUtils.FS\Clsid
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC82-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC84-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{EFFEFC85-4447-11D2-A504-50846BC10000}\TypeLib
HKEY_CLASSES_ROOT\MSWinsock.Winsock
HKEY_CLASSES_ROOT\MSWinsock.Winsock\CLSID
HKEY_CLASSES_ROOT\MSWinsock.Winsock\CurVer
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1\CLSID
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{EFFEFC87-4447-11D2-A504-50846BC10000}\1.0\HELPDIR

data.dll does connect to an IRC server

tested on Windows XP
December 22, 2004
MegaSecurity