Alias/esBackdoor.Win32.Breplibot.b, W32/Brepibot virus, Troj/Stinx-E, Trojan.Downloader.Small-882 |
Detailed AnalysisW32/Brepibot-tr - 05-12-07 General Info: This threat is a "PE" executable file, with file size 10240 Network/Internet:
Files:
Installation to System:
More Info: Replication When first launched, the virus performs the following actions : - it copies itself in the \%System%\ directory as $sys$drv.exe, - it does delete the initial file, - it stays idle until it has internet access. Startup Adds nothing in the registry to start upon a new boot. Comportment Once it can access internet, it tries to reach the following addresses : 24.210.44.45 68.101.14.76 152.1.24.186 67.171.67.190 152.7.24.186 35.10.203.93 When connection is established, it tries to login onto the IRC server with IDs : NICK [0000-XP]qnifymb USER bujlxaf . . :$$sony$$ None of the server was reachable (connections were either refused or timeout) The strings qnifymb and bujlxaf are certainly some kind of IDs (they change over time). Additional payloads It stops 1 service : kmixer. |
