[<prev] [next>] [day] [month] [year] [list]
Message-ID: <011201c39038$271aec30$050010ac@Estila>
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Project structure of ADWARE/VIRUS/TROJAN ( AIM EXPLOIT) related to Realphx.com
I was making a little research in the objects and this is the clean code of
the project ( not complete , off course but resources )
*Project1-VB.Project
--> Type=Exe
Form=av.frm
Module=Module1; Module1.bas
Startup="av"
Description=""
HelpFile=""
Name="Project1"
Title="av2"
ExeName32="av.exe"
*AV-VB.Form
--> VERSION 5.00
Begin VB.Form av
Caption = "av"
LinkTopic = "av"
Visible = 0 'False
ClientLeft = 60
ClientTop = 345
ClientWidth = 1560
ClientHeight = 495
StartupPosition = 3
Begin VB.Timer Timer1
Interval = 60000
Left = 0
Top = 0
End
End
*Timer1-VB.Timer
--> VERSION 5.00
Begin VB.Form av
Caption = "av"
LinkTopic = "av"
Visible = 0 'False
ClientLeft = 60
ClientTop = 345
ClientWidth = 1560
ClientHeight = 495
StartupPosition = 3
Begin VB.Timer Timer1
Interval = 60000
Left = 0
Top = 0
End
End
New Information:
Possible compilation with debug info.
Why ? I found these files linked to the av.exe :
- VBA6.DLL -> LINK PRESENT BUT NOT USED/NEEDED
- VB6.OLB -> LINK PRESENT BUT NOT USED/NEEDED
----
The Registry keys used:
_
SOFTWARE\Microsoft\Windows\CurrentVersion\Run :
Antivir -> c:\av.exe
SOFTWARE\America Online\AOL Instant Messenger (TM)\CurrentVersion\Misc
BaseDataPath
Z Software\America Online\AOL Instant Messenger(TM)\CurrentVersion\Login:
Screen Name -> info.htm
/\INFO.HTM/\
< f o n t s i z e = 5 > < b > < A H R E F = " H T T P : / / W W W . R E
A L P H X . C O M " > W W W . R E A L P H X . C O M < / a > < / f o n t >
/\<<<EOF/\
That's all at the moment ;-) more info will be available in
www.nsrg-security.com .
Best Regards,
---
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
Powered by blists - more mailing lists