January 25, 2011


This is the additional infection that infects as a result of exploit HTML_SHELLCOD.SM which will be as a result of IE vulnerability. It steals information and sends it to FTP servers from where some malicious codes that run multiple routines on the infected systems. It logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.
1) It is found by the following files on the system in the folders C:\Windows\System32 and C:\Documents and Settings\user name\Local Settings\Temp with the following filenames:

  • SKOE.001
  • SKOE.002
  • SKOE.006
  • SKOE.007
  • SKOE.EXE and
  • @3A.tmp
  • @3B.tmp
  • mrt3C.tmp\bigbox.mfx
  • \mrt3C.tmp\ctrlx.mfx
  • \mrt3C.tmp\Download.mfx
  • \mrt3C.tmp\kccda.mfx
  • \mrt3C.tmp\kcclip.mfx
  • \mrt3C.tmp\KcClkBlk.mfx
  • \mrt3C.tmp\KcCursor.mfx
  • \mrt3C.tmp\kcfile.mfx
  • \mrt3C.tmp\kcpop.mfx
  • \mrt3C.tmp\mmfs2.dll
  • \mrt3C.tmp\stdrt.exe
2) It creates following registry entry to enable its auto execution
SKOE Agent = "%System%\28463\SKOE.exe"

3) It creates following registry keys in HKey_Classes_Root under Interface folder in the folder {03022430-ABC4-11D0-BDE2-00AA001A1953} with the names
  • (Default) = "IAccessibleHandler"
  • (Default) = "{{malware name}}"
  • (Default) = "{{malware name}}"
  • (Default) = "{{malware name}}"
  • Version = "1.1
  • 1.1(Default) = "Accessibility"

and under TypeLib Folder with the folder name {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}with the files
  • 1.1(Default) = "Accessibility"
  • 1.1\0\win32(Default) = "%System%\oleacc.dll"
  • 1.1\FLAGS(Default) = "4"
  • 1.1\HELPDIR(Default) = "%Windows%\System32"


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More