Ads Downloader.Admincash Wednesday, 19 January 2005 Downloader.Admincash is a Trojan horse program that infects the Explorer.exe file, lowers security settings in Windows, and downloads adware and dialers. Type: Trojan Horse Infection Length: 8200 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When Downloader.Admincash runs, it performs the following actions: Creates the following mutexes, so that only one copy of the Trojan runs at one time: BeavisMutex ButtheadMutex Copies itself as %System%soft.exe and %System%[random file name].exe Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Creates the following registry subkeys: HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAA5-00401C608500} HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAA5-00401C608500} Adds the value: "Web Service" = "%System%[random file name].exe" to the registry subkeys: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion un HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion un so that it runs every time Windows starts. Adds the value: "run" = "%System%soft.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows so that it runs every time Windows starts. Adds the value: "DisableSR" = "0x00000001" to the registry subkeys: HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore to disable Windows security features. Adds the value: "EnableFirewall" = "0x00000001" to the registry subkeys: HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile to disable Windows security features. Adds the values: "NoAutoUpdate" = "0x00000001" "AUOptions" = "0x00000001" to the registry subkeys: HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU to disable Windows security features. Adds the values: "FirewallDisableNotify" = "0x00000001" "UpdatesDisableNotify" = "0x00000001" "AntiVirusDisableNotify" = "0x00000001" to the registry subkeys: HKEY_CURRENT_USERSOFTWAREMicrosoftSecurity Center HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center to disable Windows security features. Creates the following files: %Windir%explorer.new %Windir%wininit.ini Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt. Infects the file %Windir%explorer.exe. Downloads several adware and dialer programs from the admin2cash.biz domain.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.