Discussion in 'malware problems & news' started by FanJ, Mar 4, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Aliases: VirTool Win32.Slackworm, Win32/Slacke.worm

    Troj/Slacker-A is a complex Trojan that may be installed by Troj/Yabinder or any other generic Trojan dropper.

    Troj/Slacker-A may be delivered separately or packed within cnn3.exe which
    is a variant of Troj/Yabinder.

    When executed cnn3.exe creates a new folder in the root folder with the name SP and extracts the following files to the new folder, setting their attributes to hidden:


    Cnn3.exe then spawns slacke-worm.exe. Slacke-worm.exe runs in the background as a "netbios auto-router by eRiC" VB application and searches for available IP addresses with no password or a weak password (on port 445).

    Slacke-worm.exe then calls abc.bat, with the relevant computer name, which tries a list of passwords for the administrative accounts and then uses psexec.exe to copy over and run main.exe on the remote computer.

    Main.exe is detected as Troj/SDBot-S. Psexec.exe is a legitimate "Sysinternals PsExec" application.
Thread Status:
Not open for further replies.