This is the additional infection that infects as a result of exploit HTML_SHELLCOD.SM which will be as a result of IE vulnerability. It steals information and sends it to FTP servers from where some malicious codes that run multiple routines on the infected systems. It logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.
1) It is found by the following files on the system in the folders C:\Windows\System32 and C:\Documents and Settings\user name\Local Settings\Temp with the following filenames:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SKOE Agent = "%System%\28463\SKOE.exe"
3) It creates following registry keys in HKey_Classes_Root under Interface folder in the folder {03022430-ABC4-11D0-BDE2-00AA001A1953} with the names
and under TypeLib Folder with the folder name {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}with the files
1) It is found by the following files on the system in the folders C:\Windows\System32 and C:\Documents and Settings\user name\Local Settings\Temp with the following filenames:
- SKOE.001
- SKOE.002
- SKOE.006
- SKOE.007
- SKOE.EXE and
- @3A.tmp
- @3B.tmp
- mrt3C.tmp\bigbox.mfx
- \mrt3C.tmp\ctrlx.mfx
- \mrt3C.tmp\Download.mfx
- \mrt3C.tmp\kccda.mfx
- \mrt3C.tmp\kcclip.mfx
- \mrt3C.tmp\KcClkBlk.mfx
- \mrt3C.tmp\KcCursor.mfx
- \mrt3C.tmp\kcfile.mfx
- \mrt3C.tmp\kcpop.mfx
- \mrt3C.tmp\mmfs2.dll
- \mrt3C.tmp\stdrt.exe
- \TIBIA_MOD
- \TIBIA_MOD.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SKOE Agent = "%System%\28463\SKOE.exe"
3) It creates following registry keys in HKey_Classes_Root under Interface folder in the folder {03022430-ABC4-11D0-BDE2-00AA001A1953} with the names
- (Default) = "IAccessibleHandler"
- (Default) = "{{malware name}}"
- (Default) = "{{malware name}}"
- (Default) = "{{malware name}}"
- Version = "1.1
- 1.1(Default) = "Accessibility"
and under TypeLib Folder with the folder name {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}with the files
- 1.1(Default) = "Accessibility"
- 1.1\0\win32(Default) = "%System%\oleacc.dll"
- 1.1\FLAGS(Default) = "4"
- 1.1\HELPDIR(Default) = "%Windows%\System32"
0 comments:
Post a Comment