Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jan 8th, 2009, 12:57pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Sober.C, Firedaemon.A and Memwatcher.B.		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Sober.C, Firedaemon.A and Memwatcher.B.  (Read 463 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Sober.C, Firedaemon.A and Memwatcher.B.
« on: Jan 5th, 2004, 7:58pm »		 Quote Quote  Modify Modify
You C? No sooner had I made tha awful 'B' joke than I post something about the C variant...

Sober.C sends itself -via e-mail- to all the addresses that it finds in files with the following extension: WAB, CFG, NSF, LDIF, NAP, ADP, ADE, VAP, MHT, HTT, RTF, DOC, XLS, INI, MDB, TXT, HTM, HTML, PST, FDB, LDB, EML, ABC, NAB, MDW, MDA, MDE, SLN, DSW, DSP, PHP, ASP, SHTML, SHTM, DBX, HLP or NFO. If the domain extension of the address is "de", "ch", "at", "li", "nl" or "be", the worm sends the message in German and if not, it sends it in English. To send itself out it uses its own SMTP engine validating itself in mail servers as MailerVB.de.
 
Sober.C creates two copies of itself that go memory resident and check if both are currently running. If one of the processes is ended or one of the files is deleted, the other creates it again. Also, in the Windows system directory of the infected computer, it creates the following files: REGEAPI.EXE, CRYPTFQ.EXE and SYSHOSTX.EXE.  
 
To ensure that it runs every time the system is started, Sober.C creates several entries in the Windows registry. Once this worm has activated it is easy to recognize, as it displays a false error message.
 
Firedaemon.A is a hacking tool which allows Win32 applications to be run as services in Windows 2003/XP/2000/NT computers. It allows a complete setup of the service: name, default directory, priority, autostart, different run modes, etc. Firedaemon.A itself does not represent a threat, but it could be used by other malware to register itself as a Windows service.
 
Memwatcher.B on the other hand is an adware program, which opens ad banners in Internet Explorer. It also  generates traffic at the following addresses: rads01.quadrogram.com and www.sandboxer.com.  
 
In the Windows system directory, Memwatcher.B creates several files, with random names of between 4 and 8 characters. Some of the files are 433KB, and will run when Windows is started up, while others are 221KB and go memory resident.
« Last Edit: Jan 5th, 2004, 7:58pm by Ian » IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register