Mega-D Trojan Analysis
Filed in archive Malware on February 29, 2008
Secure works has released an excellent analysis of the Ozdock/Mega-D trojan, whuch is responsible for creating and adding to the Mega-D botnet. Here is an excerpt:
Some sample Ozdok filenames are icf.exe, icf32.exe, cacglivn.exe, guyymgvl.exe and mm27nov.exe. The (phony) embedded file description is "Microsoft Internet Countermeasures Framework". The older variants usually install themselves to %windows%\system32\svchost.exe:exe.exe or a similarly named alternate data stream (ADS). These streams are hidden from normal listing in Explorer or a command shell. Startup at boottime is facilitated by the addition of a system service labeled "ICF". Additionally, the system firewall settings are modified to add svchost.exe as an authorized application. mm27nov.exe does not appear to contain code to set up persistence across reboots, so it may simply be an update intended to be executed by an existing instance of Ozdok.
Check out more here-this is a must read!
Permalink: Mega-D Trojan Analysis
Tags: Anti spam Server anti spam Anti spam for exchange Exchange spam Attachment spam Antiphishing Spam bl
Vote for Mega-D Trojan Analysis:
|
Rating: 7.00 out of 4 vote(s) cast.
|
Response from:
kssouza
(08/28/10 4:48pm)
proteja mais o seu jogo hackeado por camillabk
| RSS |  |
 | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Follow us on Twitter! |
Most Popular
Announcements
Anti-Spam Tools
Archival Tools
Best of
Did you know
Events
Fight!
Information about
Malware
Misc
Phishing
Security measures
Spam
Spam News
Spyware