Filed in archive
Malware
by Sue Walsh on February 29, 2008

Some sample Ozdok filenames are icf.exe, icf32.exe, cacglivn.exe, guyymgvl.exe and mm27nov.exe. The (phony) embedded file description is "Microsoft Internet Countermeasures Framework". The older variants usually install themselves to %windows%\system32\svchost.exe:exe.exe or a similarly named alternate data stream (ADS). These streams are hidden from normal listing in Explorer or a command shell. Startup at boottime is facilitated by the addition of a system service labeled "ICF". Additionally, the system firewall settings are modified to add svchost.exe as an authorized application. mm27nov.exe does not appear to contain code to set up persistence across reboots, so it may simply be an update intended to be executed by an existing instance of Ozdok.
Check out more here-this is a must read!
Permalink: Mega-D Trojan Analysis
Tags:
Anti
spam
Server
anti
spam
Anti
spam
for
exchange
Exchange
spam
Attachment
spam
Antiphishing
Spam
bl
Trackback: http://publish.creative-weblogging.com/publish/mt-tb.pl/115359
Mr Wong
Vote for Mega-D Trojan Analysis:
|
Rating: 7.00 out of 4 vote(s) cast.
|
Subscribe
Use the search to look for other interesting posts
| RSS | See all blog subscribe options |
|
What is RSS? | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Newsletter | |
| Follow us on Twitter! |






