igotspam
Mega-D Trojan Analysis
Filed in archive Malware by Sue Walsh on February 29, 2008
Mega-D Trojan Analysis
Secure works has released an excellent analysis of the Ozdock/Mega-D trojan, whuch is responsible for creating and adding to the Mega-D botnet. Here is an excerpt:
Some sample Ozdok filenames are icf.exe, icf32.exe, cacglivn.exe, guyymgvl.exe and mm27nov.exe. The (phony) embedded file description is "Microsoft Internet Countermeasures Framework". The older variants usually install themselves to %windows%\system32\svchost.exe:exe.exe or a similarly named alternate data stream (ADS). These streams are hidden from normal listing in Explorer or a command shell. Startup at boottime is facilitated by the addition of a system service labeled "ICF". Additionally, the system firewall settings are modified to add svchost.exe as an authorized application. mm27nov.exe does not appear to contain code to set up persistence across reboots, so it may simply be an update intended to be executed by an existing instance of Ozdok.

Check out more here-this is a must read!



Permalink: Mega-D Trojan Analysis
Tags: Anti  spam  Server  anti  spam  Anti  spam  for  exchange  Exchange  spam  Attachment  spam  Antiphishing  Spam  bl 
Trackback: http://publish.creative-weblogging.com/publish/mt-tb.pl/115359
img Addthis img Ask img Blinklist img del.icio.us img Digg img Fark img Facebook img Google img Lycos img Ma.gnolia Add this page to Mister Wong Mr Wong img Netscape img Netvousz img Newsvine img Reddit img StumbleUpon img Slashdot img Tailrank img Technorati img Wink img Yahoo

Vote for Mega-D Trojan Analysis:

  • Currently 7.00/10
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
Rating: 7.00 out of 4 vote(s) cast.
 
Subscribe
Share It
Popular posts from our other blogs:
RSSrss
See all blog subscribe options
Google google
What is RSS?
Yahoo! yahoo
Addthis Subscribe using any feed reader!
Bloglines Bloglines
Newsletter

TwitterFollow us on Twitter!