![]() ![]() The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list: When the worm is executed in a date after the Sunday 12th of February 2004 it will exit immediately, without performing any further actions. One of the possibilities this backdoor offers is to receive an additional executable and run it on the already infected machine. This file will sequentially open TCP ports from 3127 to 3198, listening on them for incoming connections. It drops another file, contained encoded in its body and packed with UPX as: So it's run every time Windows starts up. The worm will copy itself to the Windows System folder as 'taskmon.exe' and adds a entry in the registry: ![]() When run the worm will create a mutex with the name "SwebSipcSmtxSO" to ensure only one instance of itself is running at the same time.
0 Comments
Leave a Reply. |