igotspam

Mega-D Trojan Analysis

Filed in archive Malware on February 29, 2008

Mega-D Trojan Analysis
Secure works has released an excellent analysis of the Ozdock/Mega-D trojan, whuch is responsible for creating and adding to the Mega-D botnet. Here is an excerpt:
Some sample Ozdok filenames are icf.exe, icf32.exe, cacglivn.exe, guyymgvl.exe and mm27nov.exe. The (phony) embedded file description is "Microsoft Internet Countermeasures Framework". The older variants usually install themselves to %windows%\system32\svchost.exe:exe.exe or a similarly named alternate data stream (ADS). These streams are hidden from normal listing in Explorer or a command shell. Startup at boottime is facilitated by the addition of a system service labeled "ICF". Additionally, the system firewall settings are modified to add svchost.exe as an authorized application. mm27nov.exe does not appear to contain code to set up persistence across reboots, so it may simply be an update intended to be executed by an existing instance of Ozdok.

Check out more here-this is a must read!



Permalink: Mega-D Trojan Analysis

Tags: Anti  spam  Server  anti  spam  Anti  spam  for  exchange  Exchange  spam  Attachment  spam  Antiphishing  Spam  bl 

Vote for Mega-D Trojan Analysis:

  • Currently 7.00/10
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
Rating: 7.00 out of 4 vote(s) cast.
 
Share It
RSSrss
Google google
Yahoo! yahoo
Addthis Subscribe using any feed reader!
Bloglines Bloglines
TwitterFollow us on Twitter!
Most Popular   Announcements   Anti-Spam Tools   Archival Tools   Best of   Did you know   Events   Fight!   Information about   Malware   Misc   Phishing   Security measures   Spam   Spam News   Spyware