Report - CrySyS Lab
Report - CrySyS Lab
Report - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
5. The script also writes an autorun path into the registry for “C:\altnet.exe” by setting the key<br />
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\altnet”.<br />
6. The script repeats the same checks and steps for “C:\altnet.exe” as in step 3 for IExplore.exe.<br />
7. Finally, the script uses an HTML javascript tag to close the current browser window, an HTML<br />
body section with an “img” reference to image.php and a closing HTML tag (). We<br />
suspect that this file must have been the final part of a larger script.<br />
bi_1.txt<br />
hash: CBF6F449C54F11D4AC28FAD203C1D88A<br />
compile time: 2004-01-24<br />
Most likely a screen capture module.<br />
Creates two files in \Documents and Settings\user\Local Settings\Temp<br />
3.exe and bi~.tmp<br />
3.exe has a hash of ED12789B2EFC87C4F39FA2367755C835 and interestingly does not has valid PE<br />
header. It was created with Borland C++ compiler. It writes to the bi~.tmp file.<br />
The created bi~.tmp observed was of length 11074 bytes long and contains binary data, most likely<br />
some graphical image, e.g screen capture or similar, but we did not analyze this in details.<br />
The same information is also saved to c:\sysdll7.txt by bi_1.exe.<br />
bi_1.exe also starts windows component ntvdm.exe which then writes temporary information into<br />
\windows\temp\scs8.tmp and scs7.tmp in the same directory.<br />
42