W32/RemLoad.A!tr - 06-08-02
This threat is a "PE" executable file
- Other Payloads: Listen on incoming ports
- Drop files: ".exe" + ".dll" + data
Installation to System:
- When run, it copies itself to:
Upon execution, the trojan performs the following actions : - it drops several files in the undefinedSystemundefined folder, including dll, exe and text files ; - it deletes the original file.
This trojan first drops several files in the directory : - 'checkreg.exe' ; - 'iisload.dll' ; - 'wsl11328.dll' ; - 's32l.txt' ; - 'ws386l.ini'. and then runs 'checkreg.exe'. The dll files are injected into the Explorer process to open a backdoor and connect servers from a list of hardcoded IP addresses. Both text files, 's32l.txt' and 'ws386l.ini', contain obfuscated data, used by 'checkreg.exe'. The dropper also creates a run entry in the registry for 'checkreg.exe' to be launched at each boot.